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ETAPS Foreword 


Welcome to the 22nd ETAPS! This is the first time that ETAPS took place in the Czech 
Republic in its beautiful capital Prague. 

ETAPS 2019 was the 22nd instance of the European Joint Conferences on Theory 
and Practice of Software. ETAPS is an annual federated conference established in 
1998, and consists of five conferences: ESOP, FASE, FoSSaCS, TACAS, and POST. 
Each conference has its own Program Committee (PC) and its own Steering Committee 
(SC). The conferences cover various aspects of software systems, ranging from theo- 
retical computer science to foundations to programming language developments, 
analysis tools, formal approaches to software engineering, and security. 

Organizing these conferences in a coherent, highly synchronized conference pro- 
gram enables participation in an exciting event, offering the possibility to meet many 
researchers working in different directions in the field and to easily attend talks of 
different conferences. ETAPS 2019 featured a new program item: the Mentoring 
Workshop. This workshop is intended to help students early in the program with advice 
on research, career, and life in the fields of computing that are covered by the ETAPS 
conference. On the weekend before the main conference, numerous satellite workshops 
took place and attracted many researchers from all over the globe. 

ETAPS 2019 received 436 submissions in total, 137 of which were accepted, 
yielding an overall acceptance rate of 31.4%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their reviewing efforts, the PC members for their con- 
tributions, and in particular the PC (co-)chairs for their hard work in running this entire 
intensive process. Last but not least, my congratulations to all authors of the accepted 
papers! 

ETAPS 2019 featured the unifying invited speakers Marsha Chechik (University of 
Toronto) and Kathleen Fisher (Tufts University) and the conference-specific invited 
speakers (FoSSaCS) Thomas Colcombet (IRIF, France) and (TACAS) Cormac 
Flanagan (University of California at Santa Cruz). Invited tutorials were provided by 
Dirk Beyer (Ludwig Maximilian University) on software verification and Cesare 
Tinelli (University of Iowa) on SMT and its applications. On behalf of the ETAPS 
2019 attendants, I thank all the speakers for their inspiring and interesting talks! 

ETAPS 2019 took place in Prague, Czech Republic, and was organized by Charles 
University. Charles University was founded in 1348 and was the first university in 
Central Europe. It currently hosts more than 50,000 students. ETAPS 2019 was further 
supported by the following associations and societies: ETAPS e.V., EATCS (European 
Association for Theoretical Computer Science), EAPLS (European Association for 
Programming Languages and Systems), and EASST (European Association of Soft- 
ware Science and Technology). The local organization team consisted of Jan Vitek and 
Jan Kofron (general chairs), Barbora Buhnova, Milan Ceska, Ryan Culpepper, Vojtech 
Horky, Paley Li, Petr Maj, Artem Pelenitsyn, and David Safranek. 
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The ETAPS SC consists of an Executive Board, and representatives of the 
individual ETAPS conferences, as well as representatives of EATCS, EAPLS, and 
EASST. The Executive Board consists of Gilles Barthe (Madrid), Holger Hermanns 
(Saarbrücken), Joost-Pieter Katoen (chair, Aachen and Twente), Gerald Liittgen 
(Bamberg), Vladimiro Sassone (Southampton), Tarmo Uustalu (Reykjavik and 
Tallinn), and Lenore Zuck (Chicago). Other members of the SC are: Wil van der Aalst 
(Aachen), Dirk Beyer (Munich), Mikolaj Bojanczyk (Warsaw), Armin Biere (Linz), 
Luis Caires (Lisbon), Jordi Cabot (Barcelona), Jean Goubault-Larrecq (Cachan), 
Jurriaan Hage (Utrecht), Rainer Hahnle (Darmstadt), Reiko Heckel (Leicester), 
Panagiotis Katsaros (Thessaloniki), Barbara König (Duisburg), Kim G. Larsen 
(Aalborg), Matteo Maffei (Vienna), Tiziana Margaria (Limerick), Peter Miiller 
(Zurich), Flemming Nielson (Copenhagen), Catuscia Palamidessi (Palaiseau), 
Dave Parker (Birmingham), Andrew M. Pitts (Cambridge), Dave Sands (Gothenburg), 
Don Sannella (Edinburgh), Alex Simpson (Ljubljana), Gabriele Taentzer (Marburg), 
Peter Thiemann (Freiburg), Jan Vitek (Prague), Tomas Vojnar (Brno), Heike Wehrheim 
(Paderborn), Anton Wijs (Eindhoven), and Lijun Zhang (Beijing). 

I would like to take this opportunity to thank all speakers, attendants, organizers 
of the satellite workshops, and Springer for their support. I hope you all enjoy the 
proceedings of ETAPS 2019. Finally, a big thanks to Jan and Jan and their local 
organization team for all their enormous efforts enabling a fantastic ETAPS in Prague! 


February 2019 Joost-Pieter Katoen 
ETAPS SC Chair 
ETAPS e.V. President 


Preface 


This volume contains the papers presented at the 22nd International Conference on 
Foundations of Software Science and Computation Structures (FoSSaCS), which took 
place in Prague during April 8—11, 2019. The conference is dedicated to foundational 
research with a clear significance for software science. It brings together research on 
theories and methods to support the analysis, integration, synthesis, transformation, and 
verification of programs and software systems. 

The volume contains 29 contributed papers selected from 85 full paper submissions, 
and also a paper accompanying an invited talk by Thomas Colcombet (IRIF, France). 
Each submission was reviewed by at least three Program Committee members, with the 
help of external reviewers, and the final decisions took into account the feedback from 
a rebuttal phase. The conference submissions were managed using the EasyChair 
system, which was also used to assist with the compilation of the proceedings. 

We wish to thank all the authors who submitted to FoSSaCS 2019, the Program 
Committee members, and the external reviewers. In addition, we would like to thank 
the ETAPS organization for providing an excellent environment for FoSSaCS along- 
side the other ETAPS conferences and workshops. 
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Universal Graphs and Good for Games 
Automata: New Tools for Infinite 
Duration Games 


Thomas Colcombet!) and Nathanaél Fijalkow? 


1 CNRS, IRIF, Université Paris-Diderot, Paris, France 
thomas.colcombet@irif .fr 


2 CNRS, LaBRI, Université de Bordeaux, Bordeaux, France 


Abstract. In this paper, we give a self contained presentation of a recent 
breakthrough in the theory of infinite duration games: the existence of a 
quasipolynomial time algorithm for solving parity games. We introduce 
for this purpose two new notions: good for small games automata and 
universal graphs. 

The first object, good for small games automata, induces a generic 
algorithm for solving games by reduction to safety games. We show that 
it is in a strong sense equivalent to the second object, universal graphs, 
which is a combinatorial notion easier to reason with. Our equivalence 
result is very generic in that it holds for all existential memoryless win- 
ning conditions, not only for parity conditions. 


1 Introduction 


In this abstract, we are interested in the complexity of deciding the winner of 
finite turn-based perfect-information antagonistic two-player games. So typically, 
we are interested in parity games, or mean-payoff games, or Rabin games, etc... 

In particular we revisit the recent advances showing that deciding the winner 
of parity games can be done in quasipolynomial time. Whether parity games can 
be solved in polynomial time is the main open question in this research area, 
and an efficient algorithm would have far-reaching consequences in verification, 
synthesis, logic, and optimisation. From a complexity-theoretic point of view, 
this is an intriguing puzzle: the decision problem is in NP and in coNP, imply- 
ing that it is very unlikely to be NP-complete (otherwise NP = coNP). Yet 
no polynomial time algorithm has yet been constructed. For decades the best 
algorithms were exponential or mildly subexponential, most of them of the form 
nod), where n is the number of vertices and d the number of priorities (we refer 
to Section 2 for the role of these parameters). 

Recently, Calude, Jain, Khoussainov, Li, and Stephan [CJK+17] constructed 
a quasipolynomial time algorithm for solving parity games, of complexity 


This work was supported by the European Research Council (ERC) under the Euro- 
pean Union’s Horizon 2020 research and innovation programme (grant agreement No. 
670624), and by the DeLTA ANR project (ANR-16-CE40-0007). 
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nO (les 4) Two subsequent algorithms with similar complexity were constructed 
by Jurdzitiski and Lazić [JL17], and by Lehtinen [Leh18]. 

Our aim in this paper is to understand these results through the prism of 
good for small games automata, which are used to construct generic reductions 
to solving safety games. A good for small games automaton can be understood 
as an approximation of the original winning condition which is correct for small 
games. The size of good for small games automata being critical in the complex- 
ity of these algorithms, we aim at understanding this parameter better. 

A concrete instanciation of good for small games automata is the 
notion of separating automata, which was introduced by Bojanczyk and 
Czerwiński [BC18] to reformulate the first quasipolynomial time algorithm 
of [CJK+17]. Later Czerwinski, Daviaud, Fijalkow, Jurdziriski, Lazić, and 
Parys [CDF+19] showed that the other two quasipolynomial time algorithms also 
can be understood as the construction of separating automata, and proved a 
quasipolynomial lower bound on the size of separating automata. 

In this paper, we establish in particular Theorem 9 which states 
an equivalence between the size of good for small games automata, non- 
deterministic of separating automata, of deterministic separating automata and 
of universal graphs. This statement is generic in the sense that it holds for any 
winning condition which is memoryless for the existential player, hence in par- 
ticular for parity conditions. At a technical level, the key notion that we intro- 
duce to show this equivalence is the combinatorial concept of universal graphs. 

Our second contribution, Theorem 10, holds for the parity condition only, 
and is a new equivalence between universal trees and universal graphs. In par- 
ticular we use a technique of saturation of graphs which simplifies greatly the 
arguments. The two theorems together give an alternative simpler proof of the 
result in [CDF+19]. 

Let us mention that the equivalence results have been very recently used to 
construct algorithms for mean-payoff games, leading to improvements over the 
best known algorithm [FGO18]. 


Structure of the paper In Section 2 we introduce the classical notions of 
games, automata, and good for games automata. In Section 3, we introduce 
the notion of good for small games automata, and show that in the context of 
memoryless for the existential player winning conditions these automata can be 
characterised in different ways, using in particular universal graphs (Theorem 9). 
In Section 4, we study more precisely the case of parity conditions. 


2 Games and automata 


We describe in this subsection classical material: arenas, games, strategies, 
automata and good for games automata. Section 2.1 introduces games, 
Section 2.2 the concept of memoryless strategy, and Section 2.3 the class of 
automata we use. Finally, Section 2.4 explains how automata can be used 
for solving games, and in particular defines the notion of automata that are 
good for games. 
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2.1 Games 


We will consider several forms of graphs, which are all directed labelled graph 
with a root vertex. Let us fix the terminology now. Given a set X, an X-graph 
H = (V,£,root zy) has a set of vertices V, a set of X-labelled edges E C 


V x X x V, and a root vertex root gr. We write x Sien y if there exists a path 


from vertex x to vertex y labelled by the word u € X*. We write x as H oo if 
there exists an infinite path starting in vertex x labelled by the word u € X”. 
The graph is trimmed if all vertices are reachable from the root and have out- 
degree at least one. Note that as soon as a graph contains some infinite path 
starting from the root, it can be made trimmed by removing the bad vertices. 
A morphism of X-graphs from G to H is a map a from vertices of G to vertices 
of H, that sends the root of G to the root of H, and sends each edge of G to 
an edge of H, i.e., for alla € X, p Te q implies a(p) —> p a(q). A weak 
morphism of X-graphs is like a morphism but we lift the property that the root 
of G is sent to the root of H and instead require that if root +g x then 


root “+ a(x). 


Definition 1. Let C be a set (of colors). A C-arena A is a C-graph in which 
vertices are split into V = Ve W Va. The vertices are called positions. The 
positions in Vg are the positions owned by the existential player, and the ones 
in Va are owned by the universal player. The root is the initial position. The 
edges are called moves. Infinite paths starting in the initial position are called 
plays. Finite paths starting in the initial position are called partial plays. The 
dual of an arena is obtained by swapping Va and Vg, i.e., exchanging the own- 
ernship of the positions. 

A W-game G = (A, W) consists of a C-arena A together with a set W C CY 
called the winning condition. 

For simplicity, we assume in this paper the following epsilon property! : there 
is a special color e E€ C such that for all words u,v E€ C”, if u and v are equal 
after removing all the <-letters, then u € W if and only if v € W. 

The dual of a game is obtained by dualising the arena, and complementing 
the winning condition. 


If one compares with usual games — for instance checkers — then the arena 
represents the set of possible board configurations of the game (typically, the 
configuration of the board plus a bit telling whose turn to play it is). The config- 
uration is an existential position if it is the first player’s turn to play, otherwise 
it is a universal position. There is an edge from u to v if it is a valid move for 
the player to go from configuration u to configuration v. The interest of having 


1 This assumption is satisfied in an obvious way for all winning conditions seen in 
this paper. It could be avoided, but at the technical price of considering slightly 
different forms of games: games in which the moves are positive boolean combina- 
tions of pairs of colors and positions. Such ‘move relations’ form a joint generali- 
sation of existential positions (which can be understood as logical disjunction) and 
universal position (which can be understood as logical conjunction). 
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colors and winning conditions may not appear clearly in this context, but the 
intent would be, for example, to tell who is the winner if the play is infinite. 

Informally, the game is played as follows by two players: the existential 
player and the universal player”. At the beginning, a token is placed at the 
initial position of the game. Then the game proceeds in rounds. At each round, 
if the token is on an existential position then it is the existential player’s turn 
to play, otherwise it is the universal player’s turn. This player chooses an out- 
going move from the position, and the token is pushed along this move. This 
interaction continues forever, inducing a play (defined as an infinite path in the 
arena) labelled by an infinite sequence of colors. If this infinite sequence belongs 
to the winning condition W, then the existential player wins the play, otherwise, 
the universal player wins the play. It may happen that a player has to play but 
there is no move available from the current position: in this case the player 
immediately loses. 


Classical winning conditions Before describing more precisely the semantics of 
games, let us recall what are the classical winning conditions considered in this 
context. 


Definition 2. We define the following classical winning conditions: 


safety condition The safety condition is Safety = {0}” over the unique 
color 0. Expressed differently, all plays are winning. Note that the color 0 
fulfills the requirement of the epsilon property. 

Muller condition Given a finite set of colors C, a Muller condition is 
a Boolean combination of winning conditions of the form “the color c 
appears infinitely often”. In general, no color fulfills the requirement of the 
epsilon property, but it is always possible to add an extra fresh color e. The 
resulting condition satisfies the epsilon property. 

Rabin condition Given a number p, we define the Rabin condition Rabin, C 
{{1,2,3}?}” by u E€ Rabin, if there exists some i € 1,...,p such that 
when projected on this component, 2 appears infinitely often in u, and 3 
finitely often. Note that the constant vector 1 fulfills the epsilon property. 
The Rabin condition is a special case of Muller conditions. 

parity condition Given a interval of integers C = [i,j] (called priorities), a 
word u = c1C2c3:++ E C” belongs to Parityc if the largest color appearing 
infinitely often in u is even. 

Biichi condition The Butichi condition Buchi is a parity condition over the 
restricted interval [1,2] of priorities. A word belongs to Buchi if it contains 
infinitely many occurrences of 2. 

coBiichi condition The coBiichi condition coBuchi is a parity condition over 
the restricted interval [0,1] of priorities. A word belongs to coBuchi if it it 
has only finitely many occurrences of 1’s. 


? In the literature, the players have many other names: ‘Eve’ and ‘Adam’, ’Eloise’ and 
‘Abelard’, ‘Exist’ and ‘Forall’, ‘0’ and ‘1’, or in specific contexts: ‘Even’ and ‘Odd’, 
‘Automaton’ and ‘Pathfinder’, ‘Duplicator’ and ‘Spoiler’, ... 
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mean-payoff condition Given a finite set C C R, a word u = c1c2¢3-++ € CY 
belongs to meanpayoffq if 
Ci t+cg+:::+ Cn 


lim inf >0. 
noo 1% 


There are many variants of this definition (such as replacing liminf with 
limsup), that all turn out to be equivalent on finite arenas. 


Strategies We describe now formally what it means to win a game. Let us take 
the point of view of the existential player. A strategy for the existential player is 
an object that describes how to play in every situation of the game that could be 
reached. It is a winning strategy if whenever these choices are respected during a 
play, the existential player wins this play. There are several ways one can define 
the notion of a strategy. Here we choose to describe a strategy as the set of 
partial plays that may be produced when it is used. 


Definition 3. A strategy s for the existential player sp is a set of partial plays 
of the game that has the following properties: 


— Sp is prefix-closed and non-empty, 

— for all partial plays 7 € sg ending in some v € Vp, there exists exactly one 
partial play of length |x| +1 in sg that prolongs r, 

— for all partial plays t E€ sp ending in some v € Va, then all partial plays that 
prolong m of length |x| +1 belong to sp. 


A play is compatible with the strategy sp if all its finite prefixes belong to s. 
A play is winning if it belongs to the winning condition W. A game is won by 
the existential player if there exists a strategy for the existential player such that 
all plays compatible with it are won by the existential player. Such a strategy is 
called a winning strategy. 

Symmetrically, a (winning) strategy for the universal player is a (winning) 
strategy for the existential player in the dual game. A game is won by the univer- 
sal player if there exists a strategy for the universal player such that all infinite 
plays compatible with it are won by the universal player. 


The idea behind this definition is that at any moment in the game, when 
following a strategy, a sequence of moves has already been played, yielding a 
partial play in the arena. The above definition guarantees that: 1. if a partial 
play belongs to the strategy, it is indeed reachable by a succession of moves that 
stay in the strategy, 2. if, while following the strategy, a partial play ends in a 
vertex owned by the existential player, there exists exactly one move that can be 
followed by the strategy at that moment, and 3. if, while following the strategy, 
a partial play ends in a vertex owned by the universal player, the strategy is able 
to face all possible choices of the opponent. 


Remark 1. It is not possible that in a strategy defined in this way one reaches 
an existential position that would have no successor: indeed, 2. would not hold. 


6 T. Colcombet and N. Fijalkow 


Remark 2. There are different ways to define a strategy in the literature. One is 
as a strategy tree: indeed one can see sg as a set of nodes equipped with prefix 
ordering as the ancestor relation. Another way is to define a strategy as a partial 
map from paths to moves. All these definitions are equivalent. The literature also 
considers randomized strategies (in which the next move is chosen following a 
probability distribution): this is essential when the games are concurrent or with 
partial information, but not in the situation we consider in this paper. 


Lemma 1 (at most one player wins). It is not possible that both the 
existential player and the universal player win the same game. 


Of course, keeping the intuition of games in mind, one would expect also 
that one of the player wins. However, this is not necessarily the case. A game is 
called determined if either the existential or the universal player wins the game. 
The fact that a game is determined is referred to as its determinacy. A 
winning condition W is determined if all W-games are determined. It happens 
that not all games are determined. 


Theorem 1. There exist winning conditions that are not determined (and it 
requires the axiom of choice to prove it). 


However, there are some situations in which games are determined. This is 
the case of finite duration games, of safety games, and more generally: 


Theorem 2 (Martin’s theorem of Borel determinacy [Mar75]). Games 
with Borel winning conditions are determined. 


Defining the notion of Borel sets is beyond the scope of this paper. It suffices 
to know that this notion is sufficiently powerful for capturing a lot of natural 
winning conditions, and in particular all winning conditions in this paper are 
Borel; and thus determined. 


2.2 Memory of strategies 


A key insight in understanding a winning condition is to study the 
amount of memory required by winning strategies. To define the notion of 
memoryless strategies, we use an equivalent point of view on strategies, using 
strategy graphs. 


Definition 4. Given a C-arena A, an existential player strategy graph Sg, Y 
in A is a trimmed C-graph Sp together with a graph morphism y from Sp to A 
such that for all vertices x in Sp, 


— if y(x) is an existential position, then there exists exactly one edge of the 
form (x,c,y) in SẸ, 

— if y(x) is a universal position, then B induces a surjection between the edges 
originating from x in Sp and the moves originating from B(x), i.e., for all 
moves of the form (3(x),c,v), there exists an edge of the form (x,c,y) in Sg 
such that B(y) = v. 
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The existential player strategy graph Sg, y is memoryless if y is injective. In 
general the memory of the strategy is the maximal cardinality of y~‘(v) for v 
ranging over all positions in the arena. For G a W-game with W C C”, an 
existential player strategy graph Sg is winning if the labels of all its paths issued 
from the root belong to W. 

The (winning) universal player strategy graphs are defined as the (winning) 
existential player strategy graphs in the dual game. 

The winning condition W is memoryless for the existential player if, 
whenever the existential player wins in a W-game, there is a memoryless 
winning existential player strategy graph. It is memoryless for the existential 
player over finite arenas if this holds for finite W-games only. The dual notion 
is the one of memoryless for the universal player winning condition. 


Of course, as far as existence is concerned the two notions of strategy coincide: 


Lemma 2. There exists a winning existential player strategy graph if and only 
if there exists a winning strategy for the existential player. 


Proof. A strategy for the existential player sp can be seen as a C-graph (in fact a 
tree) Sg of vertices sp, of root £, and with edges of the form (7, a, 7a) for all ra € 

sg. If the strategy sg is winning, then the strategy graph Sp is also winning. 
Conversely, given an existential player strategy graph Sg, the set sp of its paths 
starting from the root is itself a strategy for the existential player. Again, the 
winning property is preserved. 


We list a number of important results stating that some winning conditions 
do not require memory. 


Theorem 3 ({EJ91]). The parity condition is memoryless for the existential 
player and for the universal player. 


Theorem 4 (([EM79, GKK88]). The mean-payoff condition is memoryless for 
the existential player over finite arenas as well as for the universal player. 


Theorem 5 ([GH82]). The Rabin condition is memoryless for the existential 
player, but not in general for the universal player. 


Theorem 6 ([McN93]). Muller conditions are finite-memory for both players. 


Theorem 7 ((CFH14]). Topologically closed conditions for which the residuals 
are totally ordered by inclusion are memoryless for the existential player. 


2.3 Automata 


Definition 5 (automata over infinite words). Let W C CY’. A (non- 
deterministic) W-automaton A over the alphabet A is a (C x A)-graph. The 
convention is to call states its vertices, and transitions its edges. The root vertex 
is called the initial state. The set W is called the accepting condition (whereas it 
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is the winning condition for games). The automaton A, is obtained from A by 
setting the state p to be initial. 

A run of the automaton A over u € A” is an infinite path in A that starts 
in the initial state and projects on its A-component to u. A run is accepting 
if it projects on its C-component to a word v € W. The language accepted 
by A is the set L(A) of infinite words u € A” such that there exists an 
accepting run of A on u. 

An automaton is deterministic (resp. complete) if for all states p and all 
letters a € A, there exists at most one (resp. at least one) transition of the form 
(p, (a,c), q). If the winning condition is parity, this is a parity automaton. If the 
winning condition is safety, this is a safety automaton, and we do not mention 
the C-component since there is only one color. I.e., the transitions form a subset 
of Qx Ax Q, and the notion coincides with the one of a A-graph. For this 
reason, we may refer to the language L(H) accepted by an A-graph H: this is 
the set of labelling words of infinite paths starting in the root vertex of H. 


Note that here we use non-deterministic automata for simplicity. However, 
the notions developed in this paper can be adapted to alternating automata. 


The notion of w-regularity. It is not the purpose of this paper to describe the 
rich theory of automata over infinite words. It suffices to say that a robust 
concept of w-regular language emerges. These are the languages that are equiva- 
lently defined by means of Btichi automata, parity automata, Rabin automata, 
Muller automata, deterministic parity automata, deterministic Rabin automata, 
deterministic Muller automata, as well as many other formalisms (regular 
expressions, monadic second-order logic, w-semigroup, alternating automata, 
...). However, safety automata and deterministic Biichi automata define a sub- 
class of w-regular languages. 

Note that the mean-payoff condition does not fall in this category, and 
automata defined with this condition do not recognize w-regular languages in 
general. 


2.4 Automata for solving games 


There is a long tradition of using automata for solving games. The general prin- 
ciple is to use automata as reductions, i.e. starting from a V-game G and a 
W-automaton A that accepts the language V, we construct a W-game G x A 
called the product game that combines the two, and which is expected to have 
the same winner: this means that to solve the V-game G, it is enough to solve the 
W-game G x A. We shall see below that, unfortunately, this expected property 
does not always hold (Remark 4). The automata that guarantee the correction of 
the construction are called good for games, originally introduced by Henzinger 
and Piterman [HPO6]. 

We begin our description by making precise the notion of product game. 
Informally, the new game requires the players to play like in the original game, 
and after each step, the existential player is required to provide a transition in 
the automaton that carries the same label. 
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Definition 6. Let D be an arena over colors C, with positions P and 
moves M. Let also A be a W-automaton over the alphabet C with states Q and 
transitions A. We construct the product arena D x A as follows: 


— The set of positions in the product game is (P %8 M) x Q. 

— The initial position is (initp, inity), in which initp is the initial position of G, 
and init, is the initial state of A. 

- The positions of the form (x,p) € P x Q are called game positions and are 
owned by the owner of x in G. There is a move, called a game move, of the 
form ((x, p), £, ((£,c, y), p)) for all moves (x,c, y) € M. 

- The positions of the form ((x,c, y), p) € M xQ are called automaton positions 
and are owned by the existential player. There is a move, called an automa- 
ton move, of the form (((x,c, y), p), d, (y,q)) for all transitions of the form 
(p, (c,d), q) în A. 


Note that every game move ((x,p),£,((x,c,y),p)) of G x A can be trans- 
formed into a move (x,c,y) of G, called its game projection. Similarly 
every automaton move (((x,c, y), p),d,(y,q)) can be turned into a transition 
(p, (c,d),q) of the automaton A called its automaton projection. Hence, every 
play n of the product game can be projected into the pair of a play x’ in G of 
label u (called the game projection), and an infinite run p of the automaton 
over u (called the automaton projection). The product game is the game over the 
product arena, using the winning condition of the automaton. 


Lemma 3 (folklore?). Let G be a V-game, and A be a W-automaton that 
accepts a language L C Y, then if the existential player wins G x Qa, she 
wins G. 


Proof. Assume that the existential player wins the game G x A using a strategy 
sg. This strategy can be turned into a strategy for the existential player s in G 
by performing a game projection. It is routine to check that this is a valid 
strategy. 

Let us show that this strategy sh is V-winning, and hence conclude that the 
existential player wins the game G. Indeed, let 7’ be a play compatible with sp, 
say labelled by u. This play 7’ has been obtained by game projection of a play m 
compatible with sg in G x A. The automaton projection p of m is a run of A 
over u, and is accepting since sp is a winning strategy. Hence, u is accepted by A 
and as a consequence belongs to V. We have proved that sg is winning. 


Corollary 1. Let G be a V-game, and A be a deterministic W-automaton that 
accepts the language Y, then the games G and G x A have the same winner. 


Proof. We assume without loss of generality that A is deterministic and com- 
plete (note that this may require to slightly change the accepting condition, for 
instance in the case of safety). The results then follows from the application of 
Lemma 3 to the game G and its dual. 


3 This technique of reduction is in fact more general, since the automaton may not be 
a safety automaton. Its use can be traced back, for instance, to the work of Biichi 
and Landweber [BL69]. 


10 T. Colcombet and N. Fijalkow 


The consequence of the above lemma is that when we know how to solve 
W-games, and we have a deterministic W-automaton A for a language V, 
then we can decide the winner of V-games by performing the product of the 
game with the automaton, and deciding the winner of the resulting game. 
Good for games automata are automata that need not be deterministic, but for 
which this kind of arguments still works. 


Definition 7 (good for games automata [HP06]). Let V be a language, 
and A be a W-automaton. Then A is good for V-games if for all V-games G, G 
and G x A have the same winner. 


Note that Lemma 1 says that deterministic automata are good for games 
automata. 


Remark 3. It may seem strange, a priori, not to require in the definition that 
L(A) = Y. In fact, it holds anyway: if an automaton is good for V-games, then 
it accepts the language V. Indeed, let us assume that there exists a word u € 
L(A) \ VY, then one can construct a game that has exactly one play, labelled u. 
This game is won by the universal player since u ¢ V, but the existential player 
wins G x A. A contradiction. The same argument works if there is a word in 
V\ L(A). 


Examples of good for games automata can be found in [BKS17], together 
with a structural analysis of the extent to which they are non-deterministic. 


Remark 4. We construct an automaton which is not good for games. The alpha- 
bet is {a,b}. The automaton A is a Biichi automaton: it has an initial state from 
which goes two e-transitions: the first transition guesses that the word contains 
infinitely many a’s, and the second transition guesses that the word contains 
infinitely many b’s. Note that any infinite word contains either infinitely many 
a’s or infinitely many b’s, so the language V recognised by this automaton is 
the set of all words. However, this automaton requires a choice to be made at 
the very first step about which of the two alternatives hold. This makes it not 
good for games: indeed, consider a game G where the universal player picks any 
infinite word, letter by letter, and the winning condition is V. It has only one 
position owned by the universal player. The existential player wins G because all 
plays are winning. However, the existential player loses G x A, because in this 
game she has to declare at the first step whether there will be infinitely many 
a’s or infinitely many b’s, which the universal player can later contradict. 


Let us conclude this part with Lemma 4, stating the possibility to compose 
good for games automata. We need before hand to defined the composition of 
automata. 

Given A x B-graph A, and B x C-graph B, the composed graph Bo A has 
as states the product of the sets of states, as initial state the ordered pair of 
the initial states, and there is a transition ((p,q),(a,c),(p’,q’)) if there is a 
transition (p,(a,b),p’) in A and a transition (q,(b,c),q’). If A is in fact an 
automaton that uses the accepting condition V, and 6 an automaton that uses 
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the accepting condition W, then the composed automaton Bo A uses has as 
underlying graph the composed graphs, and as accepting condition W. 


Lemma 4 (composition of good for games automata). Let A be a 
good for games W-automaton for the language V, and B be good for games 
V-automaton for the language L, then the composed automaton Ao B is a 
good for games W-automaton for the language L. 


3 Efficiently solving games 


From now on, graphs, games and automata are assumed to be finite. 

We now present more recent material. We put forward the notion of 
good for n-games automata (good for small games) as a common explanation 
for the several recent algorithms for solving parity games ‘efficiently’. After 
describing this notion in Section 3.1, we shall give more insight about it in 
the context of winning conditions that are memoryless for the existential player 
in Section 3.2 

Much more can be said for parity games and good for small games 
safety automata: this will be the subject of Section 4. 


3.1 Good for small games automata 


We introduce the concept of (strongly) good for n-games automata (good for 
small games). The use of these automata is the same as for good for games 
automata, except that they are cannot be composed with any game, but only 
with small ones. In other words, a good for (W,n)-game automaton yields 
a reduction for solving W-games with at most n positions (Lemma 6). We 
shall see in Section 3.2 that as soon as the underlying winning condition is 
memoryless for the existential player, there are several characterisations for the 
smallest strongly good for n-games automata. It is good to keep in mind the 
definition of good for games automata (Definition 7) when reading the following 
one. 


Definition 8. Let V be a language, and A be a W-automaton. Then A is good 
for (V,n)-games if for all V-games G with at most n positions, G and G x A 
have the same winner (we also write good for small games when there is no need 
for V and n to be explicit). 

It is strongly good for (V,n)-games if it is good for (Y,n)-games and the 
language accepted by A is contained in V. 


Example 1 (automata that are good for small games). We have naturally the fol- 
lowing chain of implications: 


good for games => strongly good for n-games => good for n-games 


The first implication is from Remark 3, and the second is by definition. Thus 
the first examples of automata that are strongly good for small games are the 
automata that are good for games. 
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Example 2. We consider the case of the coBtichi condition: recall that the set 
of colors is {0,1} and the winning plays are the ones such that there ulti- 
mately contain only 0’s. It can be shown that if the existential player wins 
in a coBüchi game with has at most n positions, then she also wins for the 
winning condition L = (0*(e + 1))"0%, i.e., the words in which there is at 
most n occurrences of 1 (indeed, a winning memoryless strategy for the con- 
dition coBuchi cannot contain a 1 in a cycle, and hence cannot contain more 
than n occurrences of 1 in the same play; thus the same strategy is also win- 
ning in the same game with the new winning condition L). As a consequence, 
a deterministic safety automaton that accepts the language L C coBuchi (the 
minimal one has n + 1 states) is good for (coBuchi, n)-games. 


Mimicking Lemma 4 which states the closure under composition of good 
for games automata, we obtain the following variant for good for small games 
automata: 


Lemma 5 (composition of good for small games automata). Let 
B be a good for n-games V-automaton for the language L with k 
states, and A be a good for kn-games W-automaton for the language Y, 
then the composed automaton A o B is a good for n-games W-automaton 
for the language L. 


We also directly get an algorithm from such reductions. 


Lemma 6. Assume that there exists an algorithm for solving W-games of 
size m in time f(m). Let G be a V-game with at most n positions and A be 
a good for (V,n)-games W-automaton of size k, there exists an algorithm for 
solving G of complexity f (kn). 


Proof. Construct the game G x A, and solve it. 


The third quasipolynomial time algorithm for solving parity games due to 
Lehtinen [Leh18] can be phrased using good for small games automata (note 
that it is not originally described in this form). 


Theorem 8 ([Leh18,BL19]). Given positive integers n,d, there exists a 


parity automaton with n0osd+O()) states and 1 + |logn] priorities which is 
strongly good for n-games. 


Theorem 8 combined with Lemma 6 yields a quasipolynomial time algorithm 
for solving parity games. Indeed, consider a parity game G with n positions and d 
priorities. Let A be the good for n-games automaton constructed by Theorem 8. 
The game G x A is a parity game equivalent to G, which has m = n(les4¢4+0()) 
states and d’ = 1 + |logn] priorities. Solving this parity game with a simple 
algorithm (of complexity O(m’) yields an algorithm of quasipolynomial com- 
plexity: 

O(m’) z O(n"es d+0(1))d') — pO (log(d) log(m))_ 
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3.2 The case of memoryless winning conditions 


In this section we fix a winning condition W which is memoryless for the 
existential player, and we establish several results characterising the smallest 
strongly good for small games automata in this case. 

Our prime application is the case of parity conditions, that will be stud- 
ied specifically in Section 4, but this part also applies to conditions such as 
mean-payoff or Rabin. 

The goal is to establish the following theorem (the necessary definitions are 
introduced during the proof). 


Theorem 9. Let W be a winning condition which is memoryless for the exis- 
tential player, then the following quantities coincide for all positive integers n: 


1. the least number of states of a strongly (W,n)-separating deterministic safety 
automaton, 

2. the least number of states of a strongly good for (W,n)-games safety automa- 
ton, 

3. the least number of states of a strongly (W,n)-separating safety automaton, 

4. the least number of vertices of a (W,n)-universal graph. 


The idea of separating automata‘ was introduced by Bojaiiczyk and Czerwiński 
[BC18] to reformulate the first quasipolynomial time algorithm [CJK+17]. 
Czerwiński, Daviaud, Fijalkow, Jurdzinski, Lazić, and Parys [CDF+19] showed 
that the other two quasipolynomial time algorithms [JL17,Leh18] also can be 
understood as the construction of separating automata. 

The proof of Theorem 9 spans over Sections 3.2 and 3.3. It it a consequence 
of Lemmas 7, 8, 11, and 12. We begin our proof of Theorem 9 by describing the 
notion of strongly separating automata. 


Definition 9. An automaton A is strongly (W,n)-separating if 
Win © L(A) CW, 


in which W]|, is the union of all the languages accepted by safety automata with n 
states that accept sublanguages of W.° 


Lemma 7. In the statement of Theorem 9, (1) => (2) => (8). 


Proof. Assume (1), i.e., there exists a strongly (W, n)-separating deterministic 
safety automaton A, then L(A) C W. Let G be a W-game with at most n 
positions. By Lemma 3, if the existential player wins G x A, she wins the 


t The definition used in [BC18] is not strictly equivalent to the one we use here: a sepa- 
rating automaton in [BC18] is a strongly separating automaton in our sense, but not 
conversely. 

5 Note that there is a natural, more symetric, notion of (W, n)-separating automata 

H 


in which the requested inclusions are W|n C L(A) C (w"| ) . However, nothing is 


known about this notion. 
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game G. Conversely, assume that the existential player wins G, then, by assump- 
tion she has a winning memoryless strategy graph Sg, y: Sp > G, i.e., L(Sg) C 

W and y is injective. By injectivity of y, Sg has at most n vertices and 
hence L(Sz) C WI, C L(A). As a consequence, for every (partial) play m 
compatible with Sg, there exists a (partial) run of A over the labels of m (call 
this property x). We construct a new strategy for the existential player in G x A 
as follows: When the token is in a game position, the existential player plays as 
in Sp; When the token is in an automaton position, the existential player plays 
the only available move (indeed, the move exists by property x, and is unique 
by the determinism assumption). Since this is a safety game, the new strat- 
egy is winning. Hence the existential player wins G x A, proving that A is 
good for (W, n)-games. Item 2 is established. 

Assume now (2), i.e., that A is some strongly good for (W, n)-games automa- 
ton. Then by definition L(A) C W. Now consider some word u in W|,,. By defi- 
nition, there exists some safety automaton 6 with at most n states such that u € 
L(B) C W. This automaton can be seen as a W-game G in which all positions are 
owned by the universal player. Since L(B) C W, the existential player wins the 
game G. Since furthermore A is good for (W, n)-games, the existential player has 
a winning strategy Sp in G x A. Assume now that the universal player is play- 
ing the letters of u in the game G x A, then the winning strategy Sp constructs 
an accepting run of A on u. Thus u € L(A), and Item 3 is established. 


We continue our proof of Theorem 9 by introducing the notion of 
(W, n)-universal graph. 
Definition 10. Given a winning condition W C C® and a positive integer n, a 
C-graph U is (W,n)-universal® if 
- L(U) CW, and 
— for all C-graphs H such that L(U) C W and with at most n vertices, there is 
a weak graph morphism from H to U. 


We are now ready to prove one more implication of Theorem 9. 
Lemma 8. In the statement of Theorem 9, (4) => (1) 


Proof. Assume that there is a (W, n)-universal graph U. We show that U seen as 
an safety automaton is strongly good for (W, n)-games. One part is straightfor- 
ward: £(U) C W is by assumption. For the other part, consider a W-game G with 
at most n positions. Assume that the existential player wins G, this means that 
there exists a winning memoryless strategy for the existential player Sg, y: Sp —> 
G in G. We then construct a strategy for the existential player Sp that maintains 
the property that the only game positions in G x U that are met in Sh are of the 
form (x, y(a)). This is done as follows: when a game position is encountered, the 
existential player plays like the strategy Sp, and when an automaton position 
is encountered, the existential player plays in order to follow y. This is possible 
since y is a weak graph morphism. 


ê Note that this is not the notion of (even weak) universality in categorical terms since 
U is not in general itself of size n. 
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3.3 Maximal graphs 


In order to continue our proof of Theorem 9, more insight is needed: we have to 
understand what are the W-maximal graphs. This is what we do now. 


Definition 11. A C-graph H is W-mazimal if L(H) C W and if it is not 
possible to add a single edge to it without breaking this property, i.e., without 
producing an infinite path from the root vertex that does not belong to W. 


Lemma 9. For a winning condition W C C which is memoryless for the exis- 
tential player, and H a W-mazimal graph, then the e-edges in H form a transi- 
tive and total relation. 


Proof. Transitivity arises from the epsilon property of winning conditions (Def- 
inition 1): Consider three vertices x, y and z such that a = (az,¢,y) and 
B = (y,€,z) are edges of H. Let us add a new edge 6 = (a,¢,y) yielding a 
new graph H’. Let us consider now any infinite path m in H’ starting in the 
root (this path may contain finitely of infinitely many occurrences of ô, but not 
almost only 6’s since x Æ y). Let z’ be obtained from 7 by replacing each occur- 
rence of 6 by the sequence a. The resulting path 7’ belongs H, and thus its 
labelling belongs to W. But since the labelings of 7 and 7’ agree after removing 
all the occurrences of £, the epsilon property guarantees that the labelling of 7 
belongs to W. Since this holds for all choices of 7, we obtain £(H’) C W. Hence, 
by maximality, 6 € H, which means that the ¢-edges form a transitive relation. 

Let us prove the totality. Let x and y be distinct vertices of H. We have to 


show that either z > y or y -Æ x. We can turn H into a game G as follows: 


— all the vertices of H become positions that are owned by the universal player 
and we add a new position z owned by the existential player; 

— all the edges of H that end in x or y become moves of G that now end in z, 

— all the other edges of H become moves of G without change, 

— and there are two new moves in G, (z,¢,x) and (z,¢,y). 


We claim first that the game G is won by the existential player. Let us construct 
a strategy sp in G as follows. The only moment the existential player has a choice 
to make is when the play reaches the position z. This has to happen after a move 
of the form (t, a, z). This move originates either from an edge of the form (t, a, x), 
or from an edge of the form (t,a, y). In the first case the strategy sg chooses 
the move (z,¢,x), and in the second case the move (z,¢,y). Let us consider a 
play m compatible with sg, and let m’ be obtained from m by replacing each 
occurrence of (t, a, z)(z,€,2) with (t, a, x) and each occurrence of (t, a, z)(z,€, y) 
with (t,a,y). The resulting 7’ is a path in H and hence its labeling belongs 
to W. Since the labelings of 7 and x’ are equivalent up to e-letters, by the 
epsilon property, the labeling of m also belongs to W. Hence the strategy sg 
witnesses the victory of the existential player in G. The claim is proved. 
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By assumption on W, this means that there exists a winning memory- 
less strategy for the existential player Sg in G. In this strategy, either the 
existential player always chooses (z,¢,2), or she always chooses (z,¢,y). Up to 
symmetry, we can assume the first case. Let now H’ be the graph H to which 
a new edge ô = (y,€,x) has been added. We aim that £(H’) C W. Let m be an 
infinite path in H’ starting from the root vertex. In this path, each occurrences 
of ô are preceded by an edge of the form (t, a, y). Thus, let z’ be obtained from m 
by replacing each occurrence of a sequence of the form (t,a,y)d by (t,a, y). The 
resulting path is a play compatible with Sg. Hence the labeling of n’ belongs 
to W, and as a consequence, by the epsilon property, this is also the case for 7. 
Since this holds for all choices of 7, we obtain that £(H’) C W. Hence, by 
W-maximality assumption, (y,¢,x) is an edge of H. 

Overall, the -edges form a total transitive relation. 


Let <s be the least relation closed under reflexivity and that extends the 
e-edge relation. 


Lemma 10. For a winning condition W which is memoryless for the existential 
player, and H a W-mazimal graph, then the following properties hold: 


The relation Se is a total preorder. 

- £! [Le T ee y Se y' implies x’ ay y’, for all vertices x',x,y,y' and 
colors a. 

~ For all vertices p,q, L( Hp) C L( Hq) if and only q Se p. 


- for all vertices p,q and colors a, aL(Hq) C L(Hp) if and only if p Bee q. 


Proof. The first part is obvious from Lemma 9. For the second part, it is sufficient 
to prove that r = y & z implies x > y and that zx Ean y — z implies 
x —+ y. Both cases are are similar to the proof of transitivity in Lemma 9". 
The two next items are almost the same. The difficult direction is to assume 
the language inclusion, and deduce the existence of an edge (left to right). Let us 
assume for an instant that H would be a finite word automaton, with all its states 
accepting. Then it is an obvious induction to show that if al(H,) C L(H,) (as 
languages of finite words), it is safe to add an ¢-transitions from q to p without 
changing the language. The two above items are then obtained by limit passing 
(this is possible because the safety condition is topologically closed). 


We are now ready to provide the missing proofs for Theorem 9: from (3) to 
(4), and from (3) to (1). Both implications arise from Lemma 9. 


Lemma 11. In the statement of Theorem 9, (8) => (4). 


T This arises in fact from a more general simple phenomenon: if the sequence ab is 
‘indistinguishable in any context’ from c (meaning that if one substitutes simulta- 
neously infinitely many occurrences of ab with occurrences of c one does not change 


the membership to W), then x Soy sz implies x => z. 
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Proof. Let us start from a strongly (W, n)-separating safety automaton A. With- 
out loss of generality, we can assume it is W-maximal. We claim that it is 
(W, n)-universal. 

Let us define first for all languages K C C”, its closure 


K= (N L; 
L(As)2K 


(in case of an empty intersection, we assume C”). This is a closure operator: 
K C K' implies K C K’, K C K, and K = K. Futhermore, aK C aK, for 
all letters a € C. Let now H be a trimmed graph with at most n vertices such 
that L(H) C W. We have L(H) C W],, by definition of Wjn. 

We claim that for each vertex x of H, there is a state a(x) of A such that 


L(Aa(a)) = L(x) . 


Indeed, note first that, since H is trimmed, there exists some word u such that 


root py mee r. Hence, using the fact that A is strongly (W,n)-separating, we 
get that for all v € L(Hx), uv € L(H) C WI, C L(A). Let G(v) be the state 
assumed after reading u by a run of A accepting uv. It is such that v € L(Agiy)- 
Since A is finite and its states are totally ordered under inclusion of residuals 
(Lemma 10), this means that there exists a state a(x) (namely the maximum 
over all the B(w) for w € L(Hy)) such that L(Aq(2)) = L(H x). 

Let us show that a is a weak graph morphism® from H to A. Consider some 
edge (x,a, y) of H. We have aL(Hy) C L( Hx). Hence 


al(Aay)) = aL(Hy) C aL(Hy) C L(A x) = L(Aaa)) 5 


which implies by Lemma 10 that a(x) ay a(y). Let now root —>7 x be 
some edge. By hypothesis, we have 


aL(Hx) C L(H) C Wn © L(A) . 


Thus L(Aa(x)) = aL(Ha) € L(A) = L(Aroot a): We obtain roota +4 a(x) 
by Lemma 10. Hence, a is a weak graph morphism. 

Since this holds for all choices of H, we have proved that A is a 
(W, n)-universal graph. 


Lemma 12. In the statement of Theorem 9, (8) => (1). 
Proof. Let us start from a strongly (W, n)-separating safety automaton A. With- 


out loss of generality, we can assume it is maximal. Thus Lemma 10 holds. 


8 Note that in general that a is not a (non-weak) graph morphism, even for conditions 
like parity. Even more, such a graph morphism does not exist in general. 
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We now construct a deterministic safety automaton D. 


— the states of D are the same as the states of A, 

— the initial state of D is the initial state of A, 

— given a state p € Ap and a letter a, a transition of the form (p, a, q) exists if 
and only if there is some transition of the form (p,a,7r) in A, and q is chosen 
to be the least state r with this property. 


We have to show that this deterministic safety automaton is strongly (W, n)- 
separating. Note first that by definition D is obtained from A by removing tran- 
sitions. Hence £(D) C L(A) C W. Consider now some u € Wļ|n. By assumption, 
u E€ L(A). Let p = (po, u1, p1)(p1, U2, p2) +++ be the corresponding accepting run 
of A. We construct by induction a (the) run of D (qo, u1,q1)(q1, U2, 92) °°* in 
such a way that qi Se pi. For the initial state, pọ = qo. Assume the run up 
to qi Se pi has been constructed. By Lemma 10, (qi, Ui+1, Pi+1) is a transition 
of A. Hence the least r such that (qi, ui+1,r) is a transition of A does exist, and 
is Se pi4i- Let us call it q;+1; we indeed have that (qi, Ui+1,qi+1) is a transition 
of D. Hence, u is accepted by D. Thus W],, C L(D). 

Overall D is a strongly (W,n)-separating deterministic safety automaton 
that has at most as many states as A. 


4 The case of parity conditions 


We have seen above some general results on the notion of universal graphs, 
separating automata, and automata that are good for small games. In partic- 
ular, we have seen Theorem 9 showing the equivalence of these objects for 
memoryless for the existential player winning conditions. 

We are paying now a closer attention to the particular case of the 
parity condition. The technical developments that follow give an alternative 
proof of the equivalence results proved in [CDF+19] between strongly separating 
automata and universal trees. 


4.1 Parity and cycles 


We begin with a first classical lemma, which reduces the questions of satisfying 
a parity condition to checking the parity of cycles. 

In a directed graph labelled by priorities, an even cycle is a cycle (all cycles 
are directed) such that the maximal priority occurring in it is even. Otherwise, 
it is an odd cycle. As usual, an elementary cycle is a cycle that does not meet 
twice the same vertex. 


Lemma 13. For a [i,j|]-graph H that has all its vertices reachable from the 
root, the following properties are equivalent: 


Universal Graphs and Good for Games Automata 19 


- L(H) C Parity jj 
— having all its cycles even, 
— having all its elementary cycles even. 


Proof. Clearly, since all vertices are reachable, £(H) C W implies that all 
the cycles are even. Also, if all cycles are even, then all elementary cycles also 
are. Finally assume that all the elementary cycles are even. Then we can con- 
sider H as a game, in which every positions is owned by the universal player. 
Assume that some infinite path from the root would not satisfy Parityy;,;), then 
this path would be a winning strategy for the universal player in this game. 
Since Parity;;,;) is a winning condition memoryless for the universal player, 
this means that the universal player has a winning memoryless strategy. But 
this winning memoryless strategy is nothing but a lasso, and thus contains an 
elementary cycle of maximal odd priority. 


4.2 The shape and size of universal graphs for parity games 


We continue with a fixed d, and we consider parity conditions using priori- 
ties in [0,2d]. More precisely, we relate the size of universal graphs for the 
parity condition with priorities [0,2d] to universal d-trees as defined now: 


Definition 12. A d-tree t is a balanced, unranked, ordered tree of height d (the 
root does not count: all branches contain exactly d+1 nodes). The order between 
nodes of same level is denoted <+. Given a leaf x, andi = 0...i, we denote 
anc! (t) the ancestor at depth i of x (O is the root, d is x). 

The d-tree t is n-universal if for all d-trees s with at most n nodes, there is a 
d-tree embedding of s into t, in which a d-tree embedding is an injective mapping 
from nodes of s to nodes of t that preserves the height of nodes, the ancestor 
relation, and the order of nodes. Said differently, s is obtained from t by pruning 
some subtrees (while keeping the structure of a d-tree). 


Definition 13. Given a d-tree t, Graph(t) is a [0,2d|-graph with the following 
characteristics: 


— the vertices are the leaves of t, 
2(d—1) : 
- for 0 < i< d, a oraphi y if anch(x) < anct (y), 
2(d—1)+1 


- for0<i<d,z “—> Graph(t) Y if anc; (zr) < anci (y). 


Lemma 14. For all d-trees t, L(Graph(t)) C Parityjo, 2a). 


Proof. Using Lemma 13, it is sufficient to prove that all cycle in Graph(t) are 
even. Thus, let us consider a cycle p. Assume that the highest priority occurring 
in a is 2(d — i) +1. Note then that for all edges a = (x, k, y) occurring in p: 


— anci(x) ne anci (y) since k <i +1, 


Seg l i 1 
- ifk = 2(d—i) +1, anc; (2) < anc: (y). 


As a consequence, the first and last vertex of œa cannot have the same ancestor 
at level 7, and thus are different. 
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Below, we develop sufficient results for establishing: 


Theorem 10 ([CF18]). For all positive integers d,n, the two following quan- 
tities are equal: 


— the smallest number of leaves of an n-universal d-tree, and 
— the smallest number of vertices of a (Parity(o,2q),n)-universal graph. 


Proof. We shall see below (Definition 14) a construction Tree that maps 
all Parityjo,2qj-maximal graphs G to a d-tree Tree(G) of smaller or same 
size. Corollary 4 establishes that this construction is in some sense the 
converse of Tree (in fact they form an adjunction). and that this cor- 
respondence preserves the notions of universality. This proves the above 
result: Given a n-universal d-tree t, then, by Corollary 4, Graph(t) is a 
(Parity(o,2q,)-universal graph that has as many vertices as leaves of graphs. 
Conversely, consider a (Parityjo,2q},7)-universal graph G. One can add to it 
edges until it becomes a Parityjo2q-maximal graph G” with as many vertices. 
Then, by Corollary 4, Tree(G’) is an n-universal d-tree that has as much or less 
leaves than vertices of G”. 


Example 3. The complete d-tree t of degree n (that has n? leaves) is n-universal. 
The [0, 2d]-graph Graph(t) obtained in this way is used in the small progress 
measure algorithm [Jur00]. 


However, there exists n-universal d-trees that are much smaller than in the 
above example. The next theorem provides an upper and a lower bound. 


Theorem 11 ([Fij18,CDF+19]). Given positive integers n, d, 


— there exists an n-universal d-tree with 


i Ge - ') 


leaves. 
— all n-universal d-trees have at least 


(ieo ) 


leaves. 


Corollary 2. The complexity of solving Parityjo aj-games with at most n- 


re O (mn log(n) log(d) - wi g ')) . 


and no algorithm based on good for small safety games can be faster than 
quasipolynomial time. 
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Maximal universal graphs for the parity condition We shall now analyse 
in detail the shape of Parityjo 2q -maximal graphs. This analysis culminates with 
the precise description of such graphs in Lemma 19, that essentially establishes 
a bijection with graphs of the form Graph(t) (Corollary 4). 

Let us note that, since the parity condition is memoryless for the existential 
player, using Lemma 10, and the fact that the parity condition is unchanged by 
modifying finite prefixes, we can always assume that the root vertex is the min- 
imal one for the <s ordering. Thus, from now, we do not have to pay attention 
to the root, in particular in weak graph morphisms. Thus, from now, we just 
mention the term morphism for weak graph morphisms. 

Let us recall preference ordering E between the non-negative integers is 
defined as follows: 


-O2d4+102d-1C0-:-C38C1CO0OC2C-:::C WWd-2C 2d 


Fact 1. Let k CE l and u,v sequences of priorities. If the maximal priority 
occurring in ukv is even, then the maximal priority occurring in ulv is also 
even. 


Lemma 15. Let G be a Parityjo,2q)-mazimal graph and k E £ be priorities in 
(0, 2d]. For all vertices x,y of G, x 5g y implies x ae y. 


Proof. Let us add (a,é,y) to G. Let u(x,é,y)v be some elementary cycle of 
the new graph involving the new edge (x, £, y). By Lemma 13, u(x, k,y)v is 
an even cycle in the original graph. Hence, by Fact 1, u(z,¢,y)v is also an 
even cycle. Thus, by Lemma 13, G with the newly added edge also satisfies 
L(G) C Parityjo2q). Using the maximality assumption for G, we obtain that 
(a, 2, y) was already present in G. 


Lemma 16. Let G be a Parityjo2q)-maximal graph. For all vertices x,y,z 
max £ 

of G, if x 5g y and y 5g z, then y a: a zs 

Proof. Let us add (x,max(k,@),z) to G. Let u(x,max(k,@),z)v be an 
elementary cycle in the new graph. By Lemma 13, u(x,k,y)(y,@,z)v, being a 
cycle of G, has to be even. Since, furthermore, the maximal priority that occurs 
in u(x, k, y)(y,,z)v is the same as the maximal one in u(x, max(k, £), z)v, the 
cycle u(x, max(k, £), z)u is also even. Using the maximality assumption of G, we 
obtain that (#,max(k,¢),z) was already present in G. 


Lemma 17. Let G be a Parityjo.2q-maximal graph, and x,y be vertices, then 


0 2d 
xz —ag T, and xr — eG y. 


Proof. For x g 2, it is sufficient to notice that adding the edge (x,0, x), if it 
was not present, simply creates one new elementary cycle to G, namely (x, 0, x). 
Since it is an even cycle, by Lemma 13, the new graph also satisfies L(G) C 
Parityjo,2q- Hence, by maximality assumption, the edge was already present 
in G before. 
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Consider the graph G with an extra edge (a,2d,y) added. Consider now 
an elementary cycle that contains (x,2d,y), i.e., of the form u(x,2d,y)v. Its 
maximal priority is 2d, and thus even. Hence by Lemma 13 and maximality 
assumption, the edge was already present in G. 


Lemma 18. Let G be a Parityjo 2q)-mazximal graph and k = 0,2,...,2d — 2. 


For all vertices x,y, x Cia y holds if and only if y Sg x does not hold. 


Proof. Assume first that y os x and x By y both holds. Then y Hha 
x Hg y is an odd cycle contradicting Lemma 13. 


Conversely, assume that adding the edge x an y would break the property 
L(G) C Parityjo,2q}: This means that there is an elementary cycle of the form 
u(x, k +1,y)v which is odd. Let Z be the maximal priority in vu. If £ > k+1, 


then @ is odd, and thus @ E k, and we obtain y Hy x by Lemma 15. Otherwise, 


£ <S k, and again LC k. Once more y Eam x holds by Lemma 15. 


Lemma 19. A [0,2d]-graph G is a Parityjo.2q)-maximal graph if and only if all 
the following properties hold: 


1. m is a total preorder for all k =0,2,...,2d, 

9 Be pa BSF. x, 0d 9, 

3. Lg is the total equivalence relation, 

4. (E for all k=0,2,...,2d-2.9 

Proof. First direction. Assume first that G is a Parityjo2q-maximal graph. 


(1) Let k = 0,2,...,2d; Hoy is transitive by Lemma 16. Furthermore, by 


Lemma 17, x Lg x for all vertices x, and thus by Lemma 15, since 0 C k, 
pa E x. Hence E is also reflexive and hence a preorder. Consider now 
another vertex y. By Lemma 18, either x La y or y aa x. But by Lemma 15, 


Yy aa x implies y o x. Hence either x La yor y ee k. Thus Ay is a 
total preorder. 


(2) For k = 0,2,...,2d — 2, since k E k + 2, by Lemma 15, E M 


(3) 4, is the maximal relation by Lemma 15. 


(4) For k =0,2,...,2d—2 and x,y, we know that y =. x holds if and only if 
z kti a y does not. This shows k+l o= cS y 

Second direction. Assume now that G satisfies the conditions (1)-(4). Let us 
first show that L(G) C Parityjo.2q. For the sake of contradiction, consider 
an elementary cycle that would be odd. It can be written as u(x, k,y)v with a 


k k 


a\ G. 


? Note that this also means, since Lig is a total preorder, that a TE 


Universal Graphs and Good for Games Automata 23 


maximal odd priority k. Note first that Aok for all Z < k: indeed, by (2), 
this is true if Z is even, and by (1) and (4), c+ for all j odd. Also ce is 
the strict version of the preorder Eia Hence, the path u(x, k, y)v has to strictly 


advance with respect to the preorder Late it cannot be a cycle. 

Assume now that an edge (2,k,y) is not present in G. If k is even, 
since (x, k, y) is not present, by (4) this means that (y, k+1, x) is present. Hence, 
adding the edge (x, k, y) would create the odd cycle (x, k, y)(y, k + 1,2). If k is 
odd, since (x, k, y) is not present, by (4) this means that (y, k — 1, x) is present. 
Hence, adding the edge (x, k, y) would create the odd cycle (x, k, y)(y, k — 1, x). 
Hence G is Parityjo,2q)-maximal. 


Corollary 3. Given a morphism a from a Parity[o,2q)-mazimal graph H to a 
Parityjo 2a -maximal graph G, then x Ea y if and only if a(x) ip a(y), for 
all vertices x,y of H and integers k in [0,2d]. Furthermore, if a is surjective, 


then every map B from G to H, such that ao is the identity on G is an injective 
morphism. 


Proof. First part. From left to right, this is the definition of a morphism. The 
other direction is by (4) of Lemma 19: if a(x) Erg a(y) and k is odd, then 
a(x) Toa a(y) does not hold by (4), thus x Siy y does not hold by morphism, 


thus z “> y holds by (4) again. The case of k even is similar (using k + 1 this 
time). 

For the second part, since ao 8 is the identity, 8 has to be injective. It is a 
morphism by the first part. 


The next definition, allowing to go from graphs to trees is shown meaningful 
by Lemma 19: 


Definition 14. Let G be a Parityjo2q-maximal graph. The d-tree Tree(G) is 
constructed as follows: 


— the nodes of level i = he .,d are the pairs (i,C) for C ranging over the 


i) 2(d—1) 
equivalence classes a E an —‘a, 
— a node (i,C) is an ancestor of (j, D) ifi<j and DCC, 


- (i, C) STreeçc) (i, D) if x e aw’ forall xE C anda’ € C. 


We shall see that Graph and Tree are almost the inverse one of the other. 
This is already transparent in the following lemma, which is just a reformulation 
of the definitions. 


Lemma 20. Let q be the quotient map from vertices of G to leaves of Tree(G) 


that maps each vertex to its (Se N 2 @)-equivalence class. It has the following 
property for all vertices x,y of G: 
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2(d—i . f 
z Uia y ifand only if anc TTS (q(x) STree(G) ancl Te*(@) (q/y)) i 
and x as ae y if and only if anc 1" (q()) < [Tree(G)]anc!7°°( (q(y)) ; 


The identity maps the vertices of Graph(t) to the leaves of t, and has the 
property that for all vertices x,y: 


xD) graphy) y i and only if ancl(x) <, anc! (y) , 


and e’ raphe y if and only if ancf(x) < anct(y) . 


Corollary 4. 1° For all Parity(o,2q-mazimal graphs G, H, all d-trees t, and all 
positive integers n, 


- Graph(Tree(G)) is a quotient and an induced subgraph of G, 

~— Tree(Graph(t)) is isomorphic to t, 

— there is a morphism from H to Graph(t) if and only if there is a tree embedding 
from Tree(H) to t, 

- Tree(G) is n-universal if and only if G is (Parityj(o,2q),n)-universal, 

- Graph(t) is (Parity(o.2q),)-universal if and only if t is n-universal. 


Proof. Let q be the quotient from Lemma 20. It can be seen as a surjective 
map from vertices of Graph(Tree(G)) to G. By Lemma 20 it is a morphism. By 
Corollary 3, Graph(Tree(G)) is also an induced subgraph of G. 

The leaves of Tree(Graph(t)) are the singletons consisting of leaves of t. 
Hence, there is a bijective map from leaves of Tree(Graph(t)) to leaves of t 
that sends{¢} to £. By Lemma 20, this is a morphism, and by Corollary 3 an 
isomorphism. 

For the third item, assume first that there is a morphism from H to Graph(t). 
By the first point, there is an injective morphism from Graph(Tree(H)) to H. 
By composition, we obtain a morphism from Graph(Tree(H)) to Graph(t). By 
Lemma 20, it is also a tree embedding from Tree(H) to t. Conversely, assume 
that there exists an embedding from Tree(#) to t. It can be raised by Lemma 20 
to a morphism from Graph(Tree(H)) to Graph(t). By the first point, there is 
a morphism from H to Graph(Tree(H)). By composition, we get a morphism 
from H to Graph(t). 

The two last items are obvious from the one just before. 


Acknowledgements. We thank Pierre Ohlmann for many interesting discussions, 
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10 The careful reader will recognize Tree and Graph as left and right adjoints. 
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Abstract. We present a framework for game semantics based on con- 
current games, that keeps track of resources as data modified throughout 
execution but not affecting its control flow. Our leading example is time, 
yet the construction is in fact parametrized by a resource bimonoid R, 
an algebraic structure expressing resources and the effect of their con- 
sumption either sequentially or in parallel. Relying on our construction, 
we give a sound resource-sensitive denotation to R-IPA, an affine higher- 
order concurrent programming language with shared state and a primi- 
tive for resource consumption in R. Compared with general operational 
semantics parametrized by R, our resource analysis turns out to be finer, 
leading to non-adequacy. Yet, our model is not degenerate as adequacy 
holds for an operational semantics specialized to time. 

In regard to earlier semantic frameworks for tracking resources, the 
main novelty of our work is that it is based on a non-interleaving seman- 
tics, and as such accounts for parallel use of resources accurately. 


1 Introduction 


Since its inception, denotational semantics has grown into a very wide subject. 
Its developments now cover numerous programming languages or paradigms, 
using approaches that range from the extensionality of domain semantics [24] 
(recording the input-output behaviour) to the intensionality of game seman- 
tics [1,17] (recording execution traces, formalized as plays in a 2-players game 
between the program (“Player”) and its execution environment (“Opponent” )). 
Denotational semantics has had significant influence on the theory of program- 
ming languages, with contributions ranging from program logics or reasoning 
principles to new language constructs and verification algorithms. 

Most denotational models are qualitative in nature, meaning that they ignore 
efficiency of programs in terms of time, or other resources such as power or 
bandwith. To our knowledge, the first denotational model to cover time was 
Ghica’s slot games [13], an extension of Ghica and Murawski’s fully abstract 
model for a higher-order language with concurrency and shared state [14]. Slot 
games exploit the intensionality of game semantics and represent time via special 
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moves called tokens matching the ticks of a clock. They are fully abstract w.r.t. 
the notion of observation in Sands’ operational theory of improvement [26]. 

More recently, there has been a growing interest in capturing quantitative 
aspects denotationally. Laird et al. constructed [18] an enrichment of the rela- 
tional model of Linear Logic [11], using weights from a resource semiring given 
as parameter. This way, they capture in a single framework several notions of 
resources for extensions of PCF, ranging from time to probabilistic weights. Two 
type systems with similar parametrizations were introduced simultaneously by, 
on the one hand, Ghica and Smith [15] and, on the other hand, Brunel, Gaboardi 
et al. [4]; the latter with a quantitative realizability denotational model. 

In this paper, we give a resource-sensitive denotational model for R-IPA, 
an affine higher-order programming language with concurrency, shared state, 
and with a primitive for resource consumption. With respect to slot games our 
model differs in that our resource analysis accounts for the fact that resource 
consumption may combine differently in parallel and sequentially — simply put, 
we mean to express that wait(1) || wait(1) may terminate in 1s, rather than 
2. We also take inspiration from weighted relational models [18] in that our 
construction is parametrized by an algebraic structure representing resources and 
their usage. Our resource bimonoids (R,0,;,||,<) differ however significantly 
from their resource semiring (R,0,1,+,-): while ; matches -, || is a new operation 
expressing the consumption of resources in parallel. We have no counterpart for 
the +, which agglomerates distinct non-deterministically co-existing executions 
leading to the same value: instead our model keeps them separate. 

Capturing parallel resource usage is technically challenging, as it can only be 
attempted relying on a representation of execution where parallelism is explicit. 
Accordingly, our model belongs to the family of concurrent or asynchronous 
game semantics pioneered by Abramsky and Melliés [2], pushed by Melliés [20] 
and later with Mimram [22], and by Faggian and Piccolo [12]; actively developed 
in the past 10 years prompted by the introduction of a more general framework 
by Rideau and Winskel [7,25]. In particular, our model is a refinement of the 
(qualitative) truly concurrent interpretation of affine IPA described in [5]. Our 
methodology to record resource usage is inspired by game semantics for first- 
order logic [3,19] where moves carry first-order terms from a signature — instead 
here they carry explicit functions, i.e. terms up to a congruence (it is also remi- 
niscent of Melliés’ construction of the free dialogue category over a category [21]). 

As in [5] we chose to interpret an affine language: this lets us focus on the key 
phenomena which are already at play, avoiding the technical hindrance caused by 
replication. As suggested by recent experience with concurrent games [6,10], we 
expect the developments presented here to extend transparently in the presence 
of symmetry [8,9]; this would allow us to move to the general (non-affine) setting. 


Outline. We start Sect. 2 by introducing the language R-IPA. We equip it first 
with an interleaving semantics and sketch its interpretation in slot games. We 
then present resource bimonoids, give a new parallel operational semantics, and 
hint at our truly concurrent games model. In Sect.3, we construct this model 
and prove its soundness. Finally in Sect. 4, we show adequacy for an operational 
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semantics specialized to time, noting first that the general parallel operational 
semantics is too coarse w.r.t. our model. 


2 From R-IPA to R-Strategies 


2.1 Affine IPA 


Terms and Types. We start by introducing the basic language under study, affine 
Idealized Parallel Algol (IPA). It is an affine variant of the language studied 
in [14], a call-by-name concurrent higher-order language with shared state. Its 
types are given by the following grammar: 


A, B::= com | bool | memy | memp | A — B 


Here, memy is the type of writeable references and memp is the type 
of readable references; the distinction is necessary in this affine setting as it 
allows to share accesses to a given state over subprocesses; this should make 
more sense in the next paragraph with the typing rules. In the sequel, non- 
functional types are called ground types (for which we use notation X). We 
define terms directly along with their typing rules in Fig. 1. Contexts are simply 
lists zı : Ay,...,%p : An of variable declarations (in which each variable occurs 
at most once), and the exchange rule is kept implicit. Weakening is not a rule 
but is admissible. We comment on a few aspects of these rules. 


(z:A)Er 

I’ skip : com T F- tt : bool IT F- ff : bool PrLax Presa 
[,c:AtM:B r- -M:A—B AFN:A rH- M: mempr 
T- \z.M :A— B T,AFMN:B T }!M : bool 
I+ M : com AFN:X Tr- M : com AFN:X CEM :memy 

T,AtM;N:X T,AFM||N:X T} M := tt : com 
r+} M : bool AFN :X At No:X T,x : memw,y : memg ĀF M:X 

T,AFif MN, No:X TFnewz,yinM :X 


Fig. 1. Typing rules for affine IPA 


Firstly, observe that the reference constructor new x, yin M binds two vari- 
ables x and y, one with a write permission and the other with a read permission. 
In this way, the permissions of a shared state can be distributed in different com- 
ponents of e.g. an application or a parallel composition, causing interferences 
despite the affine aspect of the language. Secondly, the assignment command, 
M := tt, seems quite restrictive. Yet, the language is affine, so a variable can 
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only be written to once, and, as we choose to initialize it to ff, the only useful 
thing to write is tt. Finally, many rules seem restrictive in that they apply only at 
ground type X. More general rules can be defined as syntactic sugar; for instance 
we give (all other constructs extend similarly): M;4_.p N = Ax“. (M;p (N2)). 


Operational Semantics. We fix a countable set L of memory locations. Each 
location £ comes with two associated variable names fw and £r distinct from 


other variable names. Usually, stores are partial maps E 

from L to {tt, ff}. Instead, we find it more convenient to Re ` we 

introduce the notion of state of a memory location. A y ; y f 
Row! Wer 


state corresponds to a history of memory actions (reads 
or writes) and follows the state diagram of Fig.2 (ignor- 
ing for now the annotations with a, 3). We write (M, <m) 
for the induced set of states and accessibility relation on it. For each m € M, its 
set of available actions is act(m) = {W, R} \ m (the letters not occurring in 
m, annotations being ignored); and its value (in {tt, ff}) is val(m) = tt iff W 
occurs in m. 

Finally, a store is a partial map s : L — M with finite domain, mapping each 
memory location to its current state. To each store corresponds a typing context 


Fig. 2. State diagram 


§2(s) = {Lx : memx |£ € dom(s) & X € act(s(£))}. 


The operational semantics operates on configurations defined as pairs (M, s) 
with s a store and [ | M : A a term whose free variables are all memory 
locations with I’ C (s). This property will be preserved by our rather standard 
small-step, call-by-name operational semantics. We refrain for now from giving 
the details, they will appear in Sect. 2.2 in the presence of resources. 


2.2 Interleaving Cost Semantics, and R-IPA 


Ghica and Murawski [14] have constructed a fully abstract(for may-equivalence) 
model for (non-affine) IPA, relying on an extension of Hyland-Ong games [17]. 
Their model takes an interleaving view of the execution of concurrent 
programs: a program is represented by the set 


x:com, y:bool + bool of all its possible executions, as decided non- 

4 a deterministically by the scheduler. In game 
run š oe roa 

qt semantics, this is captured by lifting the stan- 

eee tt dard requirement that the two players alter- 

jia tt nate. For instance, Fig. 3 shows a play in the 


interpretation of the program x : com,y : 
bool H x || y : bool. The diagram is read 
from top to bottom, chronologically. Each line 
comprises one computational event (“move”), annotated with “—” if due to 
the execution environment (“Opponent”) and with “+” if due to the program 
(“Player”); each move corresponds to a certain type component, under which it 
is placed. With the first move q7, the environment initiates the computation. 


Fig. 3. A non-alternating play 
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Player then plays run*, triggering the evaluation of x. In standard game seman- 
tics, the control would then go back to the execution environment — Player would 
be stuck until Opponent plays. Here instead, due to parallelism Player can play 
a second move q immediately. At this point of execution, x and y are both 
running in parallel. Only when they have both returned (moves done” and tt) 
is Player able to respond tt*, terminating the computation. The full interpreta- 
tion of x : com,y: bool F z || y : bool, its strategy, comprises numerous plays 
like that, one for each interleaving. 

As often in denotational semantics, Ghica and Murawski’s model is invari- 
ant under reduction: if (M, s} — (M’,s’), both have the same denotation. The 
model adequately describes the result of computation, but not its cost in terms, 
for instance, of time. Of course this cost is not yet specified: one must, for 
instance, define a cost model assigning a cost to all basic operations (e.g. mem- 
ory operations, function calls, etc). In this paper we instead enrich the language 
with a primitive for resource consumption — cost models can then be captured 
by inserting this primitive concomitantly with the costly operations (see for 
example [18]). 


R-IPA. Consider a set R of resources. The lan- (a € R) 

guage 7-IPA is obtained by adding to affine IPA a T F consume(q) : com 
new construction, consume(qa), typed as in Fig. 4. 

When evaluated, consume(q) triggers the consump- Fig. 4. Typing consume 
tion of resource R. Time consumption will be a run- 

ning example throughout the paper. In that case, we will consider the non- 
negative reals R4 as set R, and for t € Ry we will use wait(t) as a synonym for 
consume(t). 


(skip; M,s,a) > (M, s,a) ((Az. M) N,s,a) > (M[N/z], s, a) 

(skip || M, s,a) > (M,s,a) (Mr, 8,a) — (val(s(€)), s£ => a 
(M || skip, s,a) > (M, s, a (lw := tt, s,a) > (skip, s| — s(£).W°], a) 
(if t Ni No, s,a) > (Ni, s,a) (new xz, yin M,s,a) > (M[lw/z, r/y],s¥ {lL e},a 
(if ff Ni No, s,a) > (No, s,a) (consume(), s, a) — (skip, s, a; 3) 


Fig. 5. Operational semantics: basic rules 


To equip R-IPA with an operational semantics we need operations on R, they 
are introduced throughout this section. First we have 0 € R, the null resource; if 
a, b € R, we have some a; B € R, the resource taken by consuming a, then 8 — 
for R = R+, this is simply addition. To evaluate R-IPA, the configurations are 
now triples (M, s,a) with a € R tracking resources already spent. With that, we 
give in Fig. 5 the basic operational rules. The only rule affecting current resources 
is that for consume((), the others leave it unchanged. However note that we store 
the current state of resources when performing memory operations, explaining the 
annotations in Fig. 2. These annotations do not impact the operational behaviour, 
but will be helpful in relating with the game semantics in Sect. 3. As usual, these 
rules apply within call-by-name evaluation contexts — we omit the details here but 
they will appear for our final operational semantics. 
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Slot Games. In [13], Ghica extends Ghica and Murawski’s model to slot games 
in order to capture resource consumption. Slot games introduce a new action 
called a token, representing an atomic resource consumption, and written @) — 
writing @) for n successive occurrences of ($). A model of N;-IPA using slot 
games would have for instance the play in Fig.6 in the interpretation of 


H = (wait(1); x; wait(2)) || (wait(2); y; wait(1)) 


in context x : com, y : bool, among with many others. Note, in examples, we 
use a more liberal typing rule for ‘;’ allowing yP°°!; z°°™ : bool to avoid clut- 
ter: it can be encoded as if y (z; tt) (z; ff). Following the methodology of game 
semantics, the interpretation of (Avy. H) skip tt would yield, by composition, the 
strategy with only maximal play q~@tt*, where (6) r:com, y:bool + bool 
reflects the overall 6 time units (say “seconds”) that 

have to pass in total before we see the result (3 in run 
each thread). This seems wasteful, but it is indeed q+ 
an adequate computational analysis, because both 

slot games and the operational semantics given so far done 
implicitly assume a sequential operational model, i.e. 

that both threads compete to be scheduled on a single 
processor. Let us now question that assumption. Fig. 6. A play with tokens 


© 0 


Parallel Resource Consumption. With a truly concurrent evaluation in mind, we 
should be able to prove that the program above may terminate in 3s, rather than 
6; as nothing prevents the threads from evaluating in parallel. Before we update 
the operational semantics to express that, we enrich our resource structure to 
allow it to express the effect of consuming resources in parallel. 

We now introduce the full algebraic structure we require for resources. 


Definition 1. A resource bimonoid is (R,0,;,||,<) where (R,0,;,<) is an 
ordered monoid, (R,0, ||, <) is an ordered commutative monoid, 0 is bottom for 
<, and || is idempotent, i.e. it satisfies a || a= a. 


A resource bimonoid is in particular a concurrent monoid in the sense of 
e.g. [16] (though we take < in the opposite direction: we read a <r a’ as “a 
is better /more efficient than a”). Our Idempotence assumption is rather strong 
as it entails that a || 8 is the supremum of a, 6 € R. This allows to recover 
a number of simple laws, e.g. a || 8 < a; 8, or the exchange rule (a; 8) || 
(a’; B') < (a || a’); (8 || 6"). Idempotence, which would not be needed for a 
purely functional language, is used crucially in our interpretation of state. 

Our leading examples are (N+, 0, +, max, <) and (R;,0,+, max, <) — we call 
the latter the time bimonoid. Others are the permission bimonoid (P(P),0,U,U, 
C) for some set P of permissions: if reaching a state requires certain permissions, 
it does not matter whether these have been requested sequentially or in parallel; 
the bimonoid of parametrized time (M,0,;,||,<) with M the monotone func- 
tions from positive reals to positive reals, 0 the constant function, || the pointwise 
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maximum, and (f; g)(x) = f(a) + g(x + f(x)): it tracks time consumption in a 
context where the time taken by consume(a) might grow over time. 

Besides time-based bimonoids, it would be appealing to cover resources such 
as power, bandwith or heapspace. Those, however, clearly fail idempotence of ||, 
and are therefore not covered. It is not clear how to extend our model to those. 


(M, s,a) > (M’,s’,a’) (M, s,a) = (M’,s’,a’) 
(M, s,a) = (M,s, a) (M, s,a) = (M',s',a’) (C[M], s, a) = (C[M"], s, a’) 
(M,s,a) = (M’,s’,a’) (M',s',a”) 3 (M", 8", a") (M, s,a) 3 (M",s’, a) (N, s, a) 3 (N’, 8”, a”) 
(M, 5,0) 3 (M",8”,0") (MIN, s,a)= (MTN 8' 15,0 1a”) 


Fig. 7. Rules for parallel reduction 


Parallel Operational Semantics. Let us fix a resource bimonoid R. To express 
parallel resource consumption, we use the many-step parallel reductions defined 
in Fig. 7, with call-by-name evaluation contexts given by 


Cll s=(1 UN l; N [if] M N | I= t 01 OY) | Get) 


The rule for parallel composition carries some restrictions regarding memory: 
M and N can only reduce concurrently if they do not access the same memory 
cells. This is achieved by requiring that the partial operation s f s’ — that 
intuitively corresponds to “merging” two memory stores s and s’ whenever there 
are no conflicts — is defined. More formally, the partial order <m on memory 
states induces a partial order (also written <m) on stores, defined by s <m 8’ 
iff dom(s) C dom(s’) and for all € € dom(s) we have s(£) <m s’(@). This order 
is a cpo in which s’ and s” are compatible (i.e. have an upper bound) iff for 
all £ € dom(s’) N dom(s”), s'(£) <m s”(€) or s”(£) <m_s’(€) — so there has 
been no interference going to s’ and s” from their last common ancestor. When 
compatible, s’ f s” maps s’ and s” to their lub, and is undefined otherwise. 

For + M : com, we set M Ja if (M,@,0) = (skip,s,qa). For instance, 
instantiating the rules with the time bimonoid, we have 


(wait(1); wait(2)) || (wait(2); wait(1)) 43 
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2.3 Non-interleaving Semantics 


To capture this parallel resource usage semantically, we build on the games model 
for affine IPA presented in [5]. Rather than presenting programs as collections of 
sequences of moves expressing all observable sequences of computational actions, 
this model adopts a truly concurrent view using collections of partially ordered 
plays. For each Player move, the order specifies its causal dependencies, i.e. the 
Opponent moves that need to have happened before. For instance, ignoring the 
x:com, y:bool + bool subscripts, Fig. 8 displays a typical partially ordered 
az play in the strategy for the term H of Sect. 2.2. 
ae One partially ordered play does not fully specify a 
sequential execution: that in Fig.8 stands for many 
done, tty sequential executions, one of which is in Fig. 3. 
ge Behaviours expressed by partially ordered plays are 
vD deterministic up to choices of the scheduler irrele- 
vant for the eventual result. Because R-IPA is non- 
Fig. 8. A parallel R-play | deterministic (via concurrency and shared state), 
our strategies will be sets of such partial orders. 
To express resources, we leverage the causal information and indicate, in each 
partially ordered play and for each positive move, an R-expression representing 
its additional cost in function of the cost of its negative dependencies. Figure 8 
displays such a R-play: each Opponent move introduces a fresh variable, which 
can be used in annotations for Player moves. As we will see further on, once 
applied to strategies for values skip and tt (with no additional cost), this R- 
play will answer to the initial Opponent move qx with tt% „ where a = (1; 2) || 
(2; 1) =p, 3, as prescribed by the more efficient parallel operational semantics. 
We now go on to define formally our semantics. 


3 Concurrent Game Semantics of IPA 


3.1 Arenas and R-Strategies 


Arenas. We first introduce arenas, the semantic representation of types in our 
model. As in [5], an arena will be a certain kind of event structure [27]. 


Definition 2. An event structure comprises (E,<z,#2) where E is a set of 
events, <p is a partial order called causal dependency, and # Ff is an irreflexive 
symmetric binary relation called conflict, subject to the two axioms: 


Ve € Ey |e] = {e’ E E |e’ <p e} is finite 
Ve1 #E €2,Ve1 <p €1,€1 HB € 


We will use some vocabulary and notations from event structures. A configu- 
ration x C E is a down-closed, consistent (i.e. for alle, e’ € x, -(e #2 e’)) finite 
set of events. We write € (E) for the set of configurations of E. We write —>p for 
immediate causality, i.e. e >p e iffe <p e’ with nothing in between — this is 


Resource-Tracking Concurrent Games 35 


the relation represented in diagrams such as Fig. 8. A conflict e1 #2 ezis min- 
imal if for alle, <p e1, (e) ##£ e2) and symmetrically. We write e1 ~g ez to 
indicate that e and eg are in minimal conflict. 

With this, we now define arenas. 


Definition 3. An arena is (A, <4, #4,pol4), an event structure along with a 
polarity function pol, : A — {—,+} subject to: (1) <4 is forest-shaped, 
(2) =a is alternating: if a, >a az, then pol,(ai1) # poly(ag), and (3) it is 
race-free, i.e. if a, ~a az, then pol,(ai) = pol,(ag). 


Arenas present the computational actions available on a type, following a 
call-by-name evaluation strategy. For instance, the observable actions of a closed 
term on com are that it can be ran, and it may 
terminate, leading to the arena com = run™ — 
done”. Likewise, a boolean can be evaluated, 
and can terminate on tt or ff, yielding the arena 
a on the right of Fig.9 (when drawing arenas, 
f- at~ fft immediate causality is written with a dotted line, 

from top to bottom). We present some simple 

Fig. 9. An arena for a sequent arena constructions. The empty arena, writ- 

ten 1, has no events. If A is an arena, then its 

dual A+ has the same components, but polarity reversed. The parallel com- 

position of A and B, written A || B, has as events the tagged disjoint union 

{1} x AU {2} x B, and all other components inherited. For x4 € G (A) and 

xp € €(B), we also write x, || xg € C(A || B). Figure9 displays the arena 
com* || bool* || bool. 


£: com, y:bool + bool 


runt qt a” 


done tt~ 


R-Augmentations. As hinted before, R-strategies will be collections of partially 
ordered plays with resource annotations in R, called R-augmentations. 


Definition 4. An augmentation [5] on arena A is a finite partial order q = 

(lal, <a) such that € (q) C @(A) (concerning configurations, augmentations are 

considered as event structures with empty conflict), which is courteous, in the 

sense that for all a1 >q a2, if pola (a1) = + or pola (a2) = —, then a, > 4 a2. 
A R-augmentation also has (with [a]; = {a' <q a | pola (a') = —}) 


Aq: (a€ jal) — (Ria > R) 


such that if pol,(a) = —, then Aq(a)(p) = pa, the projection on a of p € Ra, 
and for alla € |q|, Aqla) is monotone w.r.t. all of its variables. 
We write R-Aug(A) for the set of R-augmentations on A. 


If q,q’ € R-Aug(A), q is rigidly embedded in q/, or a prefix of q/, 
written q => g’, if |a| € @(q’), for all a,a’ € |q], a <q a' iff a <q a’, and 
for all a € |q|, Aqla) = Aq (a). The R-plays of Sect. 2.3 are formalized as R- 
augmentations: Fig. 8 presents an R-augmentation on the arena of Fig. 9. The 
functional dependency in the annotation of positive events is represented by 


36 A. Alcolei et al. 


using the free variables introduced alongside negative events, however this is 
only a symbolic representation: the formal annotation is a function for each 
positive event. In the model of R-IPA, we will only use the particular case 
where the annotations of positive events only depend on the annotations of their 
immediate predecessors. 


R-Strategies. We start by defining ?-strategies on arenas. 


Definition 5. A R-strategy on A is a non-empty prefiz-closed set of R-aug- 
mentations o C R-Aug(A) which is receptive [5]: for q € o such that |a| 
extends with a~ € A (i.e. pol(a) = —, a # |q], and |a| U {a} € @(A)), there is 
qo g €v such that |q’| = |q| U {a}. 

Ifo is a R-strategy on arena A, we write a: A. 


Observe that 7-strategies are fully described by their maximal augmenta- 
tions, i.e. augmentations that are the prefix of no other augmentations in the 
strategy. Our interpretation of new will use the R-strategy cell : [memy] || 
[mempr] (with arenas presented in Fig.10), comprising all the R-augmenta- 
tions rigidly included in either of the two from Fig. 11. These two match the 
race when reading and writing simultaneously: if both wtt™ and r~ are played 
the read may return ttt or ff, but it can only return ttt in the presence of 
wt. 


memy memR memy memR 
ew ae wit; ory wit, oy 
wtt ro v Sc y Y K v 
okt t+ gt oke ty Kiy f; 
Fig. 10. [memy] and [memg] Fig. 11. Maximal R-augmentations of 


cell 


3.2 Interpretation of R-IPA 


Categorical Structure. In order to define the interpretation of terms of R-IPA 
as R-strategies, a key step is to show how to form a category of R-strategies. To 
do that we follow the standard idea of considering R-strategies from A to B 
to be simply R-strategies on the compound arena A+ || B. As usual, our first 
example of a R-strategy between arenas is the copycat R-strategy. 


Definition 6. Let A be an arena. We define a partial order <æ, on At || A: 


Seo, = (1,4), (1,a')) |a <a a'} U {((2, 2), (2,a')) | a Sa a'}U 
{((1, a), (2,a)) | pol4 (a) = +} U {((2, a), (1,a)) | pol4 (a) = =})* 


where (—)* denotes the transitive closure of a relation. Note that if a € A+ || A 
is positive, it has a unique immediate predecessor pred(a) € A+ || A for <@,. 
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If x || y € @(A+ || A) is down-closed for <æ, (write <x, for the restriction 
of <æ, tox || y), we define an R-augmentation Qz y = (2 || Y, <2,y,Az,y) where 


rey (@Ea|ly) — (Rls +R) 
with rAzy(a—)(p) = pa, and Az, y(a*)(p) = Pprea(a)- Then, œa is the R-strategy 
comprising all Qs y for x || y € @(A* || A) down-closed in A. 
We first define interactions of R-augmentations, extending [5]. 


Definition 7. We say that q € R-Aug(A+ || B), and p € R-Aug(B* || C) are 
causally compatible if |q| = x4 || £B, |p| = xg || xc, and the preorder <peq 
on x || eB || xo defined as (<q U <p) is a partial order. 

Saye € x, || £p || xc is negative if it is negative in At || C. We define 


\pea: (e€ za lea llo) — (Rives +R) 


as follows, by well-founded induction on <p@q, for p € Rilpea; 


Ap(e) (Apea le’) (p) |e € [elp)) if polasyc(e) =4 
Apea(e)(p) = $ Aale) (peale) (p) | e € [elg)) if polarya(e) = +, 
Pe otherwise, i.e.e negative 


The interaction p ® q of compatible q, p is (xa || £B || tc, <peq; Apea). 


Ifo: At || B and 7: B+ || C, we write T ® cø for the set comprising all 
p ® q such that p € 7 and q € ø are causally compatible. For q € o and 
p € T causally compatible with |p ® q| = za || £B || zc, their composition is 
POQ= (La || tc,<poq, Apoq) Where <poq and Apog are the restrictions of 
<p@q and Ap@q. Finally, the composition of o : A+ || B and 7: B+ || C is the 
set comprising all p © q for q € ø and p € T causally compatible. 


tw:memy, tr: memrR+t bool memy memp w : mem mem bool 
qx _ _ a 
ge po ae wtt,; ry se ne: 
wt) Ty2 © i Sy A — wtt ly. 2 
y Yy y È y 
ok; tty okł thi, ok tt 


= 


+ 
(ys 2) I L 
Fig. 12. Example of interaction and composition between R,-augmentations 


In Fig. 12, we display an example composition between R,-augmentations — 
with also in gray the underlying interaction. The reader may check that the vari- 
ant of the left R,-augmentation with tt replaced with ff is causally compatible 
with the other augmentation in Fig. 11, with composition qù — lii re 
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We also have a tensor operation: on arenas, A ® B is simply a synonym for 
A || B. If qı € R-Aug(Ajz || Bı) and q2 € R-Aug(Ad || B2), their tensor 
product qı Q q2 E€ R-Aug((A; Q A2)+ || (B1 & B2)) is defined in the obvious 
way. This is lifted to R-strategies element-wise. As is common when constructing 
basic categories of games and strategies, we have: 


Proposition 1. There is a compact closed category R-Strat having arenas as 
objects, and as morphisms, R-strategies between them. 


Negative Arenas and R-Strategies. As a compact closed category, R-Strat is a 
model of the linear »-calculus. However, we will (as usual for call-by-name) 
instead interpret R-IPA in a sub-category of negative arenas and strategies, in 
which the empty arena 1 is terminal, providing the interpretation of weakening. 
We will stay very brief here, as this proceeds exactly as in [5]. 

A partial order with polarities is negative if all its minimal events are. This 
applies in particular to arenas, and R-augmentations. A R-strategy is negative 
if all its R-augmentations are. A negative R-augmentation q € R-Aug(A) is 
well-threaded if for all a € |q], [a], has exactly one minimal event; a R- 
strategy is well-threaded iff all its -augmentations are. We have: 


Proposition 2. Negative arenas and negative well-threaded R-strategies form 
a cartesian symmetric monoidal closed category R-Strat_, with 1 terminal. 
We also write o : A+>B for morphisms in R-Strat_. 


The closure of R-Strat does not transport to R-Strat_ as A+ || B is never 
negative if A is non-empty, thus we replace it with a negative version. Here we 
describe only a restricted case of the general construction in [5], which is however 
sufficient for the types of R-IPA. If A, B are negative arenas and B is well- 
opened, i.e. it has exactly one minimal event b, we form A — B as having all 
components as in At || B, with additional dependencies {((2, b), (1,a)) | a € A}. 


seq, : com @ X > X if, : bool Q (X & X) > X pary : com @® X>X 
pp qx pya qx “a 
run, qx 
v y i ki 
done; ty run, qx 
Se ad: a es y y 
qy qy d = 
Vv y one, vz 
Uz, Uz x 
z ~ż Sas x J 


v, 
z yllz 


Fig. 13. Maximal R-augmentations of R-strategies used in the interpretation 


Using the compact closed structure of R-Strat it is easy to build a copycat R- 
strategy eva, g : (A — B)® A+B, and to associate to any o : C A+B some 
A(o) : C++A — B providing the monoidal closure. The cartesian product of A 
and B is A & B with components the same as A || B, except for (1,a) # (2,6) 
for alla € A,b € B. We write m; : A, & A2—>A; for the projections, and 
(o, T) : A++B & C for the pairing of o : A4++B, and 7 : A++C. 
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Interpretation of R-IPA. We set [com] = run~ — donet, [bool] 
as in the right-hand side of Fig.9, [memy] and [mempr] as in Fig. 10, 
and [A — B] = [A] — [BS] as expected. Contexts [ = zı 


Aj,...,&n : An are interpreted as [I] = @1<i<n[Ai]. Terms FA M: 
A are interpreted as [¢] : [[]—>[A] as follows: [L] is the diverging R- 
strategy (no player move), [consume(qa)] has only maximal R-augmentation 
run, —> done% ,, [skip] 

[M; N : X] = seqy © ([M] 2 INJ) is [consume(0)], and tt 

and ff are interpreted sim- 
ilarly with the adequate 
constant R-strategies. The 


[M || N : X] = pary © ([M] 8 [N]) 


[if M N: N? : X] = ifx © (LMJ @ (IMJ, [N21)) 


[IM : bool] = deref © [M] rest of the interpretation is 
[M := tt: com] = assign © [M] given on the left, using the 
two obvious isos deref 


[new x, yin M : X] = [M] © ([Z] ® cell) [memz] —> [bool] and 


assign : [memw ]|—> [com]; 
the R-strategy cell introduced in Fig. 11; and additional R-strategies with typical 
R-augmentations in Fig. 13. We omit the (standard) clauses for the A-calculus. 


3.3 Soundness 


Now that we have defined the game semantics of R-IPA, we set to prove that it 
is sound with respect to the operational semantics given in Sect. 2.2. 

We first introduce a useful notation. For any type A, [A] has a unique min- 
imal event; write (A) for the arena without this minimal event. Likewise, if 
TE M: A, then by construction, [M] : [I]+ || [A] is a negative R-strategy 
whose augmentations all share the same minimal event qù where q7 is minimal 
in A. For a € R, write (M)a for [M] without qù , with x replaced by a. Then we 
have (M)q : [I]+ || (A) — one may think of (M)a as “M started with consumed 
resource a”. 

Naively, one may expect soundness to state that for all = M : com, if M Ja, 
then (M)o = donet. However, whereas the resource annotations in the seman- 
tics are always as good as permitted by the causal constraints, derivations in the 
operational semantics may be sub-optimal. For instance, we may derive M lq 
not using the parallel rule at all. So our statement is: 


Theorem 1. If- M : com with M lq, there is B <r a s.t. (M)o = done;. 


Our proof methodology is standard: we replay operational derivations as 
augmentations in the denotational semantics. Stating the invariant successfully 
proved by induction on operational derivations requires some technology. 

If s is a store, then write cell, : [{2(s)] for the memory strategy for store s. It 


is defined as @geqom(s)Cellse) where cell. = cell, cellge is the R-strategy with only 
+ 


xla cellņya has maximal R-augmentation 


maximal R-augmentation wtt, — ok 


ry = tiy and the empty R-strategy for the other cases. If s <m s’, then 


40 A. Alcolei et al. 


s’ can be obtained from s using memory operations and there is a matching 
R-augmentation Qsps’ € cell, defined location-wise in the obvious way. 

Now, if o : [Q(s)]+ || (A) is a R-strategy and q € o with moves only in 
[2(s)]+ is causally compatible with q...’, we define the residual of o after q: 


o/(4® dsos) : [2(s')I~ | A) 


If p € o with q > p, we write first p’ = p/(q@qspz’) the R-augmentation with 
|p’| = |p| \ lal, and with causal order the restriction of that of p. For e € |p’|, 
we set Àp’ (e) to be A,,(e) whose arguments corresponding to negative events e’ 
in q are instantiated with Aqeq,, ,, (€) E R. With that, we set o/(q® dsp’) as 
comprising all p/(q ® dsps’) for p € o with q > p. 

Informally, this means that, considering some q which represents a scheduling 
of the memory operations turning s into s’, we extract from ø its behavior 
after the execution of these memory operations. Finally, we generalize <p to 
R-augmentations by setting q <p q’ iff they have the same underlying partial 
order and for all e € |q|, Aq(e) SR Aq (e). With that, we can finally state: 


Lemma 1. Let 2(s) + M : A, (M,s1,a) 3 (M', s1 © 55,0’) with dom(s,) = 
dom(s{), and all resource annotations in sı lower than a. Then, there is q € 
(M)a with events in [Q(s)], causally compatible with qs,p5,, and a function 


yp: (M'ho ® cells, as (M)a/(G® Gs,5s7) 
preserving > and s.t. for all p ® qs, E€ (M')a ® cells,, p(P®aqs,) SR POs). 


This is proved by induction on the operational semantics — the critical cases 
are: assignment and dereferenciation exploiting that if a <r 6, then a || 8 = 8 
(which boils down to idempotence); and parallel composition where compatibility 
of s’ and s” entails that the corresponding augmentations of cell, are compatible. 

Lemma 1, instantiated with (M,9,0) = (skip, s, a), yields soundness. 


Non-adequacy. Our model is not adequate. To see why, consider: 


wait(1); wait (2); 
Fnewry,tRin | zw := tt; ITR; : bool 
wait(2) wait(1) 


Our model predicts that this may evaluate to tt in 3s (see Fig. 12) and to ff 
in 4s. However, the operational semantics can only evaluate it (both to tt and ff) 
in 4s. Intuitively, the reason is that the causal shapes implicit in the reduction 
= are all series-parallel (generated with sequential and parallel composition), 
whereas the interaction in Fig. 12 is not. 

Our causal semantic approach yields a finer resource analysis than achieved 
by the parallel operational semantics. The operational semantics, rather than 
our model, is to blame for non-adequacy: indeed, we now show that for R = R+ 
our model is adequate w.r.t. an operational semantics specialized for time. 
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4 Adequacy for Time 


For time, we may refine the operational semantics by adding the following rule 
(wait (tı + t2), S, to) = (wait(t2), S, to + tı) 


using which the program above evaluates to tt in 3s. It is clear that the soundness 
theorem of the previous section is retained. 

We first focus on adequacy for first-order programs without abstraction or 
application, written Q(s) Fı M : com. For any tọ € Ry there is (M, s, to) 3 
(M’',sWs',to) where (M) = (M'i © cells) and M’ is in canonical form: it 
cannot be decomposed as C|skip; N], C[skip || N], CLN || skip], Clif tt Ny No], 
Clif ff Ny N2], C[wait(0)] and C[new z, yin N] for C|] an evaluation context. 

Consider 2(s) Fı M : com, and q € (M) ®cells with a top element done 
in (com), the result — i.e. q describes an interaction between (M) and the 
memory leading to a successful evaluation to done at time t;. To prove adequacy, 
we must extract from it a derivation from (M, s, to), at time tr. 

Apart from the top done%, q only records memory operations, which we 
must replicate operationally in the adequate order. A minimal operation with 
timing t is either the top donet if it is the only event in q, or a prefix (m, > 
nz) > q corresponding to a memory operation (for instance, in augmentations 
of Fig. 14, the only minimal operation has timing 2). If t = to, this operation 
should be performed immediately. If t > t9 we need to spend time to trigger it 
— it is then critical to spend time on all available waits in parallel: 


Lemma 2. For R(s)}ı M : com in canonical form, to € R4, q € (Mr ® cells 
with result done}, if all minimal operations have timing strictly greater than to, 


(M, s, to) 3 (M', s, to +t) 


for some t > 0 and M’ only differing from M by having smaller annotations in 
wait commands and at least one wait changed to skip. 
Furthermore, there is q <r q! with q! € (M'):,44 ® cell, with result done}. 


wait(2); || wait(1); wait(1); || wait wait(0); 
( lw = tt || test (£a)? OPS tw =t | test eg) he = tt | test (2R) t? E? 
wtt2 rı wtt2 rı wtt2 r2 
y y y v y y 
okz the IR ok2 the IR okz ey, 
ʻa x ʻa x = ʻa x 
doneł doneł doneł 


Fig. 14. Spending time adequately (where test M = if M skip L) 
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Proof. As M is in canonical form, all delays in minimal operations are impacted 
by wait(t) commands in head position (i.e. such that M = C[wait(t)]). Let tmin 
be the minimal time appearing in those wait(—) commands in head position. 
Using our new rule and parallel composition, we remove tmin to all such instances 
of wait(—); then transform the resulting occurrences of wait(0) to skip. 

A representative example is displayed in Fig. 14. In the second step, though 
l/r is available immediately, we must wait to get the right result. 


With that we can prove the key lemma towards adequacy. 


Lemma 3. Let (2(s) ki M : com, to € Ry, and q € (Mto ® cells with result 
done in (com). Then, there is (M,s, to) = (skip, —, ts). 


Proof. By induction on the size of M. First, we convert M to canonical form. 
If all minimal operations in q € (M), have timing strictly greater than to, we 
apply Lemma 2 and conclude by induction hypothesis. 

Otherwise, at least one minimal operation has timing to. If it is the result 
done; in (X), then M is the constant skip. Otherwise, it is a memory operation, 
say p © q with p = (rz, — bt) and write also s’ = s[é+> s(£).R*°]. It follows 
then by an induction on M that M = C[!€p] for some C|], with 


q/(P ® dsrs) € (Cll) i. ® cells 
so (M, s,to) 3 (C[b], s’, to) = (skip, —, tt) by induction hypothesis. 


Adequacy follows for higher-order programs: in general, any F M : com can 
be G-reduced to first-order M’, leaving the interpretation unchanged. By Church- 
Rosser, M’ behaves like M operationally, up to weak bisimulation. Hence: 


Theorem 2. Let + M : com. For any t € R}, if done? € (M)o then M 4h. 


5 Conclusion 


It would be interesting to compare our model with structures used in timing 
analysis, for instance [23] relies on a concurrent generalization of control flow 
graphs that is reminiscent of event structures. In future work we also plan to 
investigate whether our annotated model construction could be used for other 
purposes, such as symbolic execution or abstract interpretation. 
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Abstract. Change structures, introduced by Cai et al., have recently 
been proposed as a semantic framework for incremental computation. 
We generalise change actions, an alternative to change structures, to 
arbitrary cartesian categories and propose the notion of change action 
model as a categorical model for (higher-order) generalised differentia- 
tion. Change action models naturally arise from many geometric and 
computational settings, such as (generalised) cartesian differential cat- 
egories, group models of discrete calculus, and Kleene algebra of reg- 
ular expressions. We show how to build canonical change action mod- 
els on arbitrary cartesian categories, reminiscent of the Faa di Bruno 
construction. 


1 Introduction 


Incremental computation is the process of incrementally updating the output 
of some given function as the input is gradually changed, without recomputing 
the entire function from scratch. Recently, Cai et al. [6] introduced the notion of 
change structure to give a semantic account of incremental computation. Change 
structures have subsequently been generalised to change actions [2], and pro- 
posed as a model for automatic differentiation [16]. These developments raise a 
number of questions about the structure of change actions themselves and how 
they relate to more traditional notions of differentiation. 

A change action A = (|A|, AA, 84, +4,0) is a set |A| equipped with a monoid 
(AA, +4,04) acting on it, via action @4 : |A| x AA — |A|. For example, every 
monoid (S, +, 0) gives rise to a (so-called monoidal) change action (S, S, +, +, 0). 
Given change actions A and B, consider functions f : |A| — |B]. A derivative of f 
is a function Of : |A|x AA — AB such that for alla € |A|, ĝa € AA, f(a®4da) = 
f(a) ®g f(a, da). Change actions and differentiable functions (i.e. functions 
that have a regular derivative) organise themselves into categories (and indeed 
2-categories) with finite (co)products, whereby morphisms are composed via the 
chain rule. 

The definition of change actions (and derivatives of functions) makes no use 
of properties of Set beyond the existence of products. We develop the theory 
of change actions on arbitrary cartesian categories and study their properties. 
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A first contribution is the notion of a change action model, which is defined 
to be a coalgebra for a certain (copointed) endofunctor CAct on the category 
Cat, of (small) cartesian categories. The functor CAct sends a category C to 
the category CAct(C) of (internal) change actions and differential maps on C. 

There is a natural, extrinsic, notion of higher-order derivative in change 
action models. In such a model a : C — CAct(C), a C-object A is associ- 
ated (via a) with a change action, the carrier object of whose monoid is in 
turn associated with a change action, and so on ad infinitum. We construct a 
“canonical” change action model, CAct,,(C), that internalises such w-sequences 
that exhibit higher-order differentiation. Objects of CAct,,(C) are w-sequences 
of “contiguously compatible” change actions; and morphisms are corresponding 
w-sequences of differential maps, each map being the canonical (via œ) derivative 
of the preceding in the w-sequence. We show that CAct,,(C) is the final CAct- 
coalgebra (relativised to change action models on C). The category CAct,,(C) 
may be viewed as a kind of Faà di Bruno construction [8, 10] in the more general 
setting of change action models. 

Change action models capture many versions of differentiation that arise 
in mathematics and computer science. We illustrate their generality via three 
examples. The first, (generalised) cartesian differential categories (GCDC) (4, 
10], are themselves an axiomatisation of the essential properties of the derivative. 
We show that a GCDC C—which by definition associates every object A with a 
monoid L(A) = (Lo(A), +4, 04)—egives rise to change action models in various 
non-trivial ways. 

Secondly we show how discrete differentiation in both the calculus of finite 
differences [15] and Boolean differential calculus [22,23] can be modelled using 
the full subcategory GrPset of Set whose objects are groups. Our unifying 
formulation generalises these discrete calculi to arbitrary groups, and gives an 
account of the chain rule in these settings. 

Our third example is differentiation of regular expressions. Recall that Kleene 
algebra K is the algebra of regular expressions. We show that the algebra of 
polynomials over a commutative Kleene algebra is a change action model. 


Outline. In Sect. 2 we present the basic definitions of change actions and differ- 
ential maps, and show how they can be organised into categories. The theory 
of change action is extended to arbitrary cartesian categories C in Sect. 3: we 
introduce the category CAct(C) of internal change actions on C. In Sect. 4 we 
present change action models, and properties of the tangent bundle functors. 
In Sect.5 we illustrate the unifying power of change action models via three 
examples. In Sect.6, we study the category CAct.,(C) of w-change actions and 
w-differential maps. Missing proofs are provided in an extended version of the 
present paper [1]. 
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2 Change Actions 


A change action is a tuple A = (|A|, AA, $4, +4,04) where |A| and AA are 
sets, (AA, +4,04) is a monoid, and 94 : |A| x AA — |A| is an action of the 
monoid on |A|.! We omit the subscript from 4, +4 and 04 whenever we can. 


Definition 1 (Derivative condition). Let A and B be change actions. A 
function f : |A| — |B| is differentiable if there is a function Of : |A| x AA —> AB 
satisfying f(a @4 da) = f(a) Gp Of (a, da), for all a € |A|, ĝa € AA. We call Of 
a derivative for f, and write f : A— B whenever f is differentiable. 


Lemma 1 (Chain rule). Given f : A — B and g : B > C with derivatives 
Of and Og respectively, the function O(go f) : |A| x AA > AC defined by 
O(g 0 f)(a, da) = Og( f(a), Of (a, ða)) is a derivative for go f : |A| > |C]. 


Proof. Unpacking the definition, we have (g o f)(a) Sc (g o f)(a,da) = 
g(f(a)) Bo Ag( fla), Of(a,6a)) = g( fla) SB Of(a,da)) = g(fla Ga da)), as 


desired. 


Example 1 (Some useful change actions). 


1. If (A,+,0) is a monoid, (A, A,+,+,0) is a change action (called monoidal). 

2. For any set A, A, = (A, {x}, 71, 71, *) is a (trivial) change action. 

3. Let A > B be the set of functions from A from B, and eva,p : Ax (A => 
B) — B be the usual evaluation map. Then (A, A = A,eva,a4,°,Id4) is a 
change action. If U C (A = A) contains the identity map and is closed under 
composition, (A, U,ev4.a laxu,° luxu, Idy) is a change action. 


Regular Derivatives. The preceding definitions neither assume nor guaran- 
tee a derivative to be additive (i.e. they may not satisfy f(x, Aa + Ab) = 
Of (a, Aa) + Of (x, Ab)), as they are in standard differential calculus. A strictly 
weaker condition that we will now require is regularity: if a derivative is addi- 
tive in its second argument then it is regular, but not vice versa. Under some 
conditions, the converse is also true. 


Definition 2. Given a differentiable map f : A — B, a derivative Of for f 
is regular if, for all a € |A| and a,b € AA, we have f(a,04) = Og and 
Of (a, da+, ôb) = Of (a, da) +p Of (a Pa Sa, Ob). 


Proposition 1. Whenever f : A > B is differentiable and has a unique deriva- 
tive Of, this derivative is regular. 


Proposition 2. Given f : A — B and g : B — C with regular derivatives Of 
and Og respectively, the derivative (g o f) = go (f o mı, 3f} is regular. 


1 Change actions are closely related to the notion of change structures introduced in 
[6] but differ from the latter in not being dependently typed or assuming the existence 
of an © operator, and requiring AA to have a monoid structure compatible with the 
map ©. 
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Two Categories of Change Actions. The study of change actions can be 
undertaken in two ways: one can consider functions that are differentiable (with- 
out choosing a derivative); alternatively, the derivative itself can be considered 
part of the morphism. The former leads to the category CAct~ , whose objects 
are change actions and morphisms are the differentiable maps. 

The category CAct~ was the category we originally proposed [2]. It is well- 
behaved, possessing limits, colimits, and exponentials, which is a trivial corollary 
of the following result: 


Theorem 1. The category CAct~ of change actions and differentiable mor- 
phisms is equivalent to PreOrd, the category of preorders and monotone maps. 


The actual structure of the limits and colimits in CAct~ is, however, not so 
satisfactory. One can, for example, obtain the product of two change actions A 
and B by taking their product in PreOrd and turning it into a change action, 
but the corresponding monoid action map 4 is not, in general, easily expressible, 
even if those for A and B are. Derivatives of morphisms in CAct~ can also be 
hard to obtain, as exhibiting f as a morphism in CAct~ merely proves it is 
differentiable but gives no clue as to how a derivative might be constructed. 

A more constructive approach is to consider morphism as a function together 
with a choice of a derivative for it. 


Definition 3. Given change actions A and B, a differential map f : A > B is 
a pair (|f|,0f) where |f|: |A| — |B| is a function, and Of : |A| x AA —> AB is 
a regular derivative for |f|. 


The category CAct has change actions as objects and differential maps as 
morphisms. The identity morphisms are (Id4,71); given morphisms f : A > B 
and g : B — C, define the composite go f := (|glo|f|,0go(|f| om, ð fY) : A > C. 

Finite products and coproducts exist in CAct (see Theorems 2 and 4 for 
a more general statement). Whether limits and colimits exist in CAct beyond 
products and coproducts is open. 


Remark 1. If one thinks of changes (i.e. elements of AA) as morphisms between 
elements of |A|, then regularity resembles functoriality. This intuition is explored 
in [1, Appendix F], where we show that categories of change actions organise 
themselves into 2-categories. 


3 Change Actions on Arbitrary Categories 


The definition of change actions makes no use of any properties of Set beyond 
the existence of products. Indeed, change actions can be characterised as just a 
kind of multi-sorted algebra, which is definable in any category with products. 


The Category CAct(C). Consider the category Cat, of (small) cartesian 
categories (i.e. categories with chosen finite products) and product-preserving 
functors. We can define an endofunctor CAct : Catx — Cat, sending a category 
C to the category of (internal) change actions on C. 
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The objects of CAct(C) are tuples A = (|A|, AA, 94, +4,04) where |A| and 
AA are (arbitrary) objects in C, (AA, +4,04) is a monoid object in C, and 
a : |A| x AA —> |A| is a monoid action in C, i.e. a C-morphism satisfying, for 
alla: C => |A], da, ô2a : C > AA: 


Bao (a, 040!) =a 
a 0 (a, +4 0 (614, 62a)) = Ga ° (Ba 0 (a, 614), 62a) 
Given objects A, B in CAct(C), the morphisms of CAct(A, B) are pairs f = 


(|f|,Of) where |f|: |A| — |B| and Of : |A| x AA — AB are morphisms in C, 
satisfying a diagrammatic version of the derivative condition: 


[Ap Aa ee iB) AB 
eal les 
|A| > |B 


IF| 
Additionally, we require our derivatives to be regular, as in Definition 2, i.e. for 
all morphisms a: C > |A|, ĉia, ô2a : C — AA, the following equations hold: 


Of o (a,040!) = Op 
Of o (a, +4 0 (81a, ô2a)) = +4 0 (Of o (a, 61a), Of o (+4 0 (a, 614), 62a)) 


The chain rule can then be expressed naturally by pasting two instances of 


the previous diagram together: 
((glel fom ,Ag0(| flom OF)) 


|A] x AA (flori, 3f) |B] x AB (\glom lg) IC| x AC 
eal [es lec 
|A| EA » |B] lgl » |C] 
Iglolf| 


Hence fog = ((|g| o |f) 971,990 (|F| om, Of). 
Now, given a product-preserving functor F : C — D, there is a corresponding 


functor CAct(F) : CAct(C) — CAct(D) given by: 
CAct(F)(JA], AA, Ga, +4, 0a) = (F([A]), F(AA), F(@a), F(+4), F(04)) 
CAE) Of) = EFI), FOP) 


We can embed C fully and faithfully into CAct(C) via the functor nc which 
sends an object A of C to the “trivial” change action A, = (A,T,71,!,!) and 
every morphism f : A — B of C to the morphism (f,!). As before, this functor 
extends to a natural transformation from the identity functor to CAct. 

Additionally, there is an obvious forgetful functor ec : CAct(C) — C, which 
defines the components of a natural transformation € from the functor CAct to 
the identity endofunctor Id. 
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Given C, we write c for the functor CAct(ec) : CAct(CAct(C)) —> 
CAct(C).? Explicitly, this functor maps an object (A,B,@,+,0) in 
CAct(CAct(C)) to the object (|A|, |B], |G], |+|, |0|). Intuitively, ecact(c) prefers 
the “original” structure on objects, whereas €c prefers the “higher” structure. 
The equaliser of these two functors is precisely the category of change actions 
whose higher structure is the original structure. 


Products and Coproducts in CAct(C). We have defined CAct as an 
endofunctor on cartesian categories. This is well-defined: if C has all finite 
(co)products, so does CAct(C). Let A = (|A],4A,@4,+4,04) and B = 
(|B|, AB,®z,+B,0g) be change actions on C. We present their product and 
coproducts as follows. 


Theorem 2. The following change action is the product of A and B in CAct(C) 
Ax B:=(|A| x |B|, AA x AB, ®$4xB, +4xB, (04, 0B)) 


where BAxB = (Dao (mı x T1), BO (T2 x T2)) and +4xB ‘= (+A fe) (mı x 
™7),+B0(m2 X T2)). The projections are Ti = (T1, T1 072)and Tz = (72, 72072), 
writing f for maps f in CAct to distinguish them from C-maps. 


Theorem 3. The change action T = (T,T,71,71,Id+) is the terminal object 
in CAct(C), where T is the terminal object of C. Furthermore, if A is a change 
action every point |f|: T — |A| in C is differentiable, with (unique) derivative 
Oa. 


Whenever we have a differential map f : A x B — C between change actions, 
we can compute its derivative ôf by adding together its “partial” derivatives:%. 


Lemma 2. Let f: Ax B— C be a differential map. Then 


Of ((a, b), (da, 6b)) =tc° (Of ((a, b), (da, Oz), Of ((Ba 9 (a, da), b), (04, 6b))) 
(The notational abuse is justified by the internal logic of a cartesian category.) 


Theorem 4. If C is distributive, with law ôA B c : (AU B) x C => (Ax C)u 
(B x C), the following change action is the coproduct of A and B in CAct(C) 


AUB := (|A| U |B|, AA x AB, Gaus, t+aus, (0a, 0B)) 


where ®aup = [B40 (Id4 x 71), ®p 0 (Idg x 72)] 0 ba Bc, and +4uB = 
(+4 0 (T1 X T1), +B © (m2 X T2)). The injections are T = (t1,(72,0B)) and 
Tz = (t2, (0A, T2)). 


? One might expect CAct to be a comonad with £ as a counit. But if this were the 
case, we would have c = Ecact(c), Which is, in general, not true. 

3 Alternatively, one can define the (first) partial derivative of a map f(x,y) as a map 
dif such that f(x x,y) = f(x,y) ® 61(2, y, 6x). It can be shown that a map is 
differentiable iff its first and second derivatives exist. 
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Stable Derivatives and Additivity. We do not require derivatives to be addi- 
tive in their second argument; indeed in many cases they are not. Under some 
simple conditions, however, (regular) derivatives can be shown to be additive. 


Definition 4. Given a (internal) change (|A| x AA) x |B| Œ} | A| x |B| 


action A and objects |B|, |C| in a cartesian 
category C, a morphism u : |A|x|B| — |C| mixta |. 
is stable whenever the diagram commutes: |A| x |B| — > |C] 


If one thinks of AA as the object of “infinitesimal” transformations on |A], 
then the preceding definition says that a morphism u : |A| x |B| — |C] is stable 
whenever infinitesimal changes on the input A do not affect its output. 


Lemma 3. Let f = (|f|,0f) be a differential map in CAct(C). If Of is stable, 
then it is additive in its second argument’, i.e. for all x, 6,2, 622% we have: 


Of o (x, +4 0 (1x, 62@)) = + 0 (Of o (x, 012), OF o (x, 62)) 


Lemma 4. Let f = (|f|,0f) and g = (|g|,0g) be differential maps, with Og 
stable. Then (go f) is stable. 


It is straightforward to see that the category Stab(C) of change actions and 
differential maps with stable derivatives is a subcategory of CAct(C). 


4 Higher-Order Derivatives: The Extrinsic View 


In this section we study categories in which every object is equipped with a 
change action, and every morphism specifies a corresponding differential map. 
This provides a simple way of characterising categories which are models of 
higher-order differentiation purely in terms of change actions. 


Change Action Models. Recall that a copointed endofunctor is a pair (F, o) 
where the endofunctor F : C — C is equipped with a natural transformation 
o : F > Id. A coalgebra of a copointed endofunctor (F,o) is an object A of C 
together with a morphism a: A — FA such that 04 0a = Id4. 


Definition 5. We call a coalgebra a : C — CAct(C) of the copointed endo- 
functor (CAct, £) a change action model (on ©). 


Assumption. Throughout Sect.4, we fix a change action model a : C —> 
CAct(C). 

Given an object A of C, the coalgebra a specifies a (internal) change action 
a(A) = (A, AA, a, +4, 04) in CAct(C). (We abuse notation and write AA for 
the carrier object of the monoid specified in a(A); similarly for +4,4, and 
04.) Given a morphism f : A — B in C, there is an associated differential map 


* Note that the converse is not the case, i.e. a derivative can be additive but not 
stable. 
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a(f) = (f, Of) : a(A) > a( B). Since Of : Ax AA — AB is also a C-morphism, 
there is a corresponding differential map a(Of) = (Of, 0° f) in CAct(C), where 
0? f : (Ax AA) x (AA x A? A) — AB is a second derivative for f. Iterating this 
process, we obtain an n-th derivative 0" f for every C-morphism f. Thus change 
action models offer a setting for reasoning about higher-order differentiation. 


Tangent Bundles in Change Action Models. In differential geometry the 
tangent bundle functor, which maps every manifold to its tangent bundle, is 
an important construction. There is an endofunctor on change action models 
reminiscent of the tangent bundle functor, with analogous properties. 


Definition 6. The tangent bundle functor T : C — C is defined as TA = 
Ax AA and Tf = (f o mı, ðf). 


Notation. We use shorthand Tij := T; 0 Tj. 

The tangent bundle functor T preserves products up to isomorphism, i.e. for 
all objects A, B of C, we have T(A x B) = TA x TB and T1 = 1. In particular, 
aB = ((T11, T12), (T21, 722)) : TA x TB — T(A x B) is an isomorphism. 
Consequently, given maps f : A — B and g : A — C, then, up to the previous 
isomorphism, T(f,g) = (Tf, Tg). 

A consequence of the structure of products in CAct(C) is that the map AxB 
inherits the pointwise structure in the following sense: 


Lemma 5. Let ¢4,3 : TA x TB — T(A x B) be the canonical isomorphism 
described above. Then ®axBp° A,B = Da X OB. 


It will often be convenient to operate directly on the functor T, rather than 
on the underlying derivatives. For these, the following results are useful: 


Lemma 6. The following families of morphisms are natural transformations: 
™,@,4 : T(A) > A, z = (Id,0) : A > T(A) 1 = ((m1,0), (772,0)) : T(A) > 
T?(A). Additionally, the triple (T,z,T®) defines a monad on C. 


A particularly interesting class of change action models are those that are 
also cartesian closed. Surprisingly, this has as an immediate consequence that 
differentiation is itself internal to the category. 


Lemma 7 (Internalisation of derivatives). Whenever C is cartesian closed, 
there is a morphism da,p : (A > B) — (A x AA) = AB such that, for any 
morphism f:1x A —> B, dapoAf = A(Of o ((T1, M12), (T1, T22)))- 


Under some conditions, we can classify the structure of the exponentials in 
(CAct, e)-coalgebras. This requires the existence of an infinitesimal object.” 


5 The concept of “infinitesimal object” is borrowed from synthetic differential geom- 
etry [18]. However, there is nothing intrinsically “infinitesimal” about such objects 
here. 
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Definition 7. If C is cartesian closed, an infinitesimal object D is an object 
of C such that the tangent bundle functor T is represented by the covariant 
Hom-functor D > (-), i.e. there is a natural isomorphism ¢ : (D > (-)) >T. 


Lemma 8. Whenever there is an infinitesimal object in C, the tangent bundle 
T(A = B) is naturally isomorphic to A > TB. 


We would like the tangent bundle functor to preserve the exponential struc- 
ture; in particular we would expect a result of the form eee = dy. 34, which 
is true in differential \-calculus [11]. Unfortunately it seems impossible to prove 
in general that this equation holds, although weaker results are available. If the 
tangent bundle functor is representable, however, additional structure is pre- 
served. 


œ~ 


Theorem 5. The isomorphism between T(A> B) > A> T(B) 
the functors T(A => (-)) and A > T(-) 


respects the structure of T, in the sense Sase | p 


that the diagram commutes. A=B 


5 Examples of Change Action Models 


Generalised Cartesian Differential Categories. Generalised cartesian dif- 
ferential categories (GCDC) [10]—a recent generalisation of cartesian differen- 
tial categories [4|—are models of differential calculi. We show that change action 
models generalise GCDC in that GCDCs give rise to change action models in 
three® different (non-trivial) ways. In this subsection let C be a GCDC (we 
assume familiarity with the definitions and notations in [10]). 


1. The Flat Model. Define the functor a : C — CAct(C) as follows. Let f : A —> 
B be a C-morphism. Then a(A) := (A, Lo(A), m1, +4,04) and a(f) := (f,D [f]). 


Theorem 6. The functor a is a change action model. 


2. The Kleist Model. GCDCs admit a tangent bundle functor, defined analo- 
gously to the standard notion in differential geometry. Let f : A — B be a C- 
morphism. Define the tangent bundle functor T : C > C as: TA := A x I (A), 
and Tf := (fom,D[f]). The functor T is in fact a monad, with unit 7 = 
(Id,04) : A — A x Lo(A) and multiplication u : (A x Lo(A)) x Lo(A)? > 
A x Lo(A) defined by the composite: 


(11071, (72071 ,710T2)) 


(A x Lo(A)) x Lo(A)? A x L(A)? IEH, A x Lol(A) 


Thus we can define the Kleisli category of this functor by Cr which has geometric 
significance as a category of generalised vector fields. 


6 The third, the Eilenberg-Moore model, is presented in [1, Appendix D]. 


54 M. Alvarez-Picallo and C.-H. L. Ong 


We define the functor ar : Cr — CAct(Cr): given a Cr-morphism f : A > 
B, set ayp(A) = (A, Lo(A), Ida x Idzo(4):0° +4,20 04) and ar(f) = (f, D [f]). 


Lemma 9. ar is a change action model. 


Remark 2. The converse is not true: in general the existence of a change action 
model on C does not imply that C satisfies the GCDC axioms. However, if 
one requires, additionally, (AA, +4,04) to be commutative, with A(AA) = AA 
and aa = +a for all objects A, and some technical conditions (stability and 
uniqueness of derivatives), then it can be shown that C is indeed a GCDC. 


Difference Calculus and Boolean Differential Calculus. Consider the full 
subcategory GrPget of Set whose objects are all the groups’. This is a cartesian 
closed category which can be endowed with the structure of a (CAct, €)-coalgebra 
a in a straightforward way. 

Given a group A = (A, +,0, —), define change action a(A) := (A, A,+,+,0) 
Given a function f : A — B, define differential map a(f) = (f,0f) where 
Of (a, dx) = —f(x)+ f(a @ dx). Notice f(x) @ Of (x, dx) = f(x) + (—f(x) + 
f(a +6x)) = f(a + dx) = f(x @ dx); hence Of is a derivative for f which is 
regular (but not necessarily additive), and a(f) a map in CAct(Grpg,,). The 
following result is then immediate. 


Lemma 10. a: GrPset > CAct(GrPset) defines a change action model. 


This result is significant: in the calculus of finite differences [15], the discrete 
derivative (or discrete difference operator) of a function f : Z — Z is defined as 
Of (x) := f(x +1) — f(x). In fact the discrete derivative df is (an instance of) 
the derivative of f qua morphism in Grpge, i-e. f(x) = Of (a, 1). 

Finite difference calculus [13,15] has found applications in combinatorics and 
numerical computation. Our formulation via change action model over Grpget 
has several advantages. First it justifies the chain rule, which seems new. Sec- 
ondly, it generalises the calculus to arbitrary groups. To illustrate this, consider 
Boolean differential calculus [22,23], a technique that applies methods from cal- 
culus to the space B” of vectors of elements of some Boolean algebra B. 


Definition 8. Given a Boolean algebra B and function f : B” — B™, the i-th 


Boolean derivative of f at (u1,..., Un) € B” is the value BE (uy, ..., tn) = 
f(u.. -, Un) e fur.. -, Ui., Un) writing u« v= (u A ~w) V (ou A v) for 


exclusive-or. 


Now B” is a Grpg,,-object. Set T; = (L, $71, L, T, L, 274, L) € B”. 


Lemma 11. The Boolean derivative of f : B” — B™ coincides with its deriva- 
tive qua morphism in GrPset: Bf (n, cearün) = Of ((u1,.-.,Un), Ti). 


T We consider arbitrary functions, rather than group homomorphisms, since, accord- 
ing to this change action structure, every function between groups is differentiable. 
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Polynomials over Commutative Kleene Algebras. The algebra of polyno- 
mials over a commutative Kleene algebra [14,17] (see [12,21] for work of a similar 
vein) is a change action model. Recall that Kleene algebra is the algebra of reg- 
ular expressions [5,9]. Formally a Kleene algebra K is a tuple (K,+,-,*,0,1) 
such that (K,+,-,0,1) is an idempotent semiring under + satisfying, for all 
a,b,cEe K: 


lt+taa=a~ lt+a*a=a* b+ac<c—a*b<c b+ca<c—ba* <c 


where a < b := a + b = b. A Kleene algebra is commutative whenever - is. 
Henceforth fix a commutative Kleene algebra K. Define the algebra of polyno- 
mials K[Z] as the free extension of the algebra K with elements T = £1,..., En- 
We write p(@) for the value of p(T) evaluated at z +> a. Polynomials, viewed 
as functions, are closed under composition: when p € K[Z], q@1,.--,dn € Kg] are 
polynomials, so is the composite p(qi(¥),---;@n(¥))- 
Given a polynomial p = p(Z), we define its i-th derivative ZP(E ) € K[z): 


Ox 
da 7) — ð p* — pk Op OB ie lifi=j 
Oxi mn Ox; eee) Ox; 4 aa =i otherwise 
2+ Dy Pa la eD pae 


Write SP (e) to mean the result of evaluating the polynomial oP (z) at THe. 


Theorem 7 (Taylor’s formula [14]). Let p(x) € KI]. For all a,b € K|x], we 
have p(a + b) = p(a )+b 2 52 (a + 0). 


The category of finite powers of K, Kx, has all natural numbers n as 
objects. The morphisms Kx [m,n] are n-tuples of polynomials (p1,..., Pn) where 
P1,-+->Pn E Klai,...,2%m]. Composition of morphisms is the usual composition 
of polynomials. 


Lemma 12. The category Kx is a cartesian category, endowed with a change 
action model a : Kx — CAct(K,.) whereby a(K) := (K,K,+,+,0), a(K*) = 
a(K)'; for p = (pi(@),---,Pn(@)) : K” > K”, a(p) = (P, (Pi; ---:Ph)), where 
(p; = P; Cathe) = Dp Yy ops (£1 + Oty «+ 5 Em + Ue) 


Remark 3. Interestingly derivatives are not additive in the second argument. 


Take p(x) = x*. Then Op(a,b+ c) > Op(a,b) + Əp(a, c). It follows that K[z] 
cannot be modelled by GCDC (because of axiom [CD.2]). 


6 w-Change Actions and w-Differential Maps 


A change action model a : C — CAct(C) is a category that supports higher- 
order differentials: each C-object A is associated with an w-sequence of change 
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actions—a(A),a(AA),a(A?A),...—in which every change action is compati- 
ble with the neighbouring change actions. We introduce w-change actions as a 
means of constructing change action models “freely”: given a cartesian category 
C, the objects of the category CAct,,(C) are all w-sequences of “contiguously 
compatible” change actions. 


We work with w-sequences [A;];c, and [filic. of objects and morphisms in 
C. We write p;([Ailicw) = Ax for the k-th element of the w-sequence (similarly 
for px([filiew)), and omit the subscript ‘i € w’ from [Aj]ie, to reduce clutter. 
Given w-sequences [A;] and [B;] of objects of a cartesian category C, define 
w-sequences, product |A;] x [Bi], left shift IT[A;] and derivative space D[Aj], by: 


py ([Ai] x [Bi]) = Aj x By — p;(H[A:]) = Ajy 
Po(D[Ai]) = Ao  pj+ıD[A:] = py D[Ai] x pj DUTZ[Ai]) 


Example 2. Given an w-sequence [Aj], the first few terms of D[Aj] are: 


poD[A;] = Ao piD/[Aj] = Ag x Ay p2D[A;] = (Ao x A) x (Ay x Ao) 
p3D/A\] = ((Ao x Aj) x (Ay x Ad)) x ((4ı x Ap) x (Ag x A3)) 


Definition 9. Given w-sequences [A;] and [Bi], a pre-w-differential map 
between them, written [fi] : [Ai] —> [B;], is an w-sequence [f;] such that for 
each j, fj : pjD[A;] > B; is a C-morphism. 


We explain the intuition behind the derivative space D[A;]. Take a morphism 

f: A— B, and set A; = AtA (where A? := A and A"t!A := A(A”A)). Since 
A distributes over product, the domain of the n-th derivative of f is p,D[Aj]. 
Notation. Define 1° := mı and TËT” = a” x x: and define 1°) := Id and 
Beas) oe (3) 

2 <= T2 O Ta . 
Definition 10. Let [fj] : [A;] — [B;] and [g;] : [B;] — [C;] be pre-w-differential 
maps. The derivative sequence D[f;] is the w-sequence defined by: 


pyD[fil = (H o rf, f1) : PjD[Ai] > By x Buys 
Using the shorthand D”[f;] := D(...(D[fi])), the composite [gi] o [fi] : [Ai] > 
er 


—— 
n times 
[C;] is the pre-w-differential map given by p;(([gi] © [fi]) = 9; © po(D*[fi]). The 
identity pre-w-differential map Id : [A;] — [Aj] is defined as: pjId := ng? : 
pyD[Ai] > Aj. 


Example 3. Consider w-sequences [f;] and [g;] as above. Then: 


poD[fil = (foo ml”, fi) — piDIfil = (fr om”, fa) 
poD? [fi] = (fo o T$, fi) o m, (fr om”, fa)) 
piD? [fi] = Ufro nf”, fa) o nt, (fo o at, fa)) 
PoDŽ[S:] = (poD?[fi] o r, Ufi onf”, fo) o ni, (fa o a, fa))) 
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It follows that the first few terms of the composite [gj] o [fi] are: 


pollg:] o [fi]) =g00 fo — prllgi) o [F]) = 91° (fo 0 T, fi) 
p2((gil © [fil) = 92 0 (foo T1, fi) om”, (fi om”, fo)) 


Notice that these correspond to iterations of the chain rule, assuming fj11 = Of; 
and gi+1 = ðgi. 


Proposition 3. For any pre-w-differential map [fi], Ido [fi] = [fi] o Id = [fi]. 


Proposition 4. Composition of pre-w-differential maps is associative: given 
pre-w-differential maps [fi] : [Ai] > [Bi], [gi] : [Bi] > [Ci] and [hi] : [Ci] > [Di], 
then for all n > 0, hn o poD"([gi] © [fi]) = (An © poD”[g:]) © poD” [fi]. 


Definition 11. Given pre-w-differential maps [f;] : [Ai] — [Bi], Igi] : [Ai] > 
[Ci], the pairing ([fi],[gi]) : [Ai] — [Bi] x [Ci] is the pre-w-differential map 
defined by: p;([fil, [gi]) = (fj, gj). Define pre-w-differential maps mı = [r1;] : 
[Ai] x [Bi] > [Ai] by prai] = m1 07$, and 72 = [mai] : [Ai x [Bi] > [Bi] by 
pj [725] = T2 O rP. 

Definition 12. A pre-w-change action on a cartesian category C is a quadruple 
A = ([A;], [864i], +4:;], [04]) where [A;] is an w-sequence of C-objects, and for 


each j > 0, @4; and +4; are w-sequences, satisfying 


eA, : IP [A;] x MIH [A;] + ID’ [A;] is a pre-w-differential map. 
+4, : IHA] x MIHA] > I3*1[Ai] is a pre-w-differential map. 
. of : T — Aj41 is a C-morphism. 

. A(A, j) = (Aj, Aj+1, po®4;, pot4;, 04) is a change action in C. 


Bowne 


We extend the left-shift operation to pre-w-change actions by defining H A: 
(IT[ Aj], Z[@4,], [+i], [04]). Then we define the change actions D(A, j) induc- 
tively by: D(A,0) = A(A,0) and D(A, j + 1) := A(A, j) x AUTA, j). Notice 


Aw 


that the carrier object of D(A, 7) is the j-th element of the w-sequence D[A;]. 


Definition 13. Given pre-w-change actions Aand B (using the preceding nota- 
tion), a pre-w-differential map [f;] : [A;] — [Bi] is w-differential if, for each j > 0, 
(fj, fj41) is a differential map from the change action D(A, j) to A(B, j). When- 
ever [fj] is an w-differential map, we write f: A= B. 

We say that a pre-w-change action Ais an w-change action if, for each i > 0, 
oA, and +A, are w-differential maps.® 


8 It is important to sequence the definitions appropriately. Notice that we only define 
w-differential maps once there is a notion of pre-w-change action, but pre-w-change 
actions need pre-w-differential maps to make sense of the monoidal sum +; and 
action © ja 
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Remark 4. The reason for requiring each OA, and JA, in an w-change object A 
to be w-differential is so that A is internally a change action in CAct,,(C) (see 
Definition 15). 


Lemma 13. Let f: A = B and g: B — Ô be w-differential maps. Qua pre- 
w-differential maps, their composite [gi] o [fi] is w-differential. Setting go f = 
lgilo[ fi] : A > C, it follows that composition of w-differential maps is associative. 


Lemma 14. For any w-change action A, the pre-w-differential map Id : [A;] —> 
[Aj] is w-differential. Hence Id := Id : A — A satisfies the identity laws. 


Definition 14. Given w-change actions A A and B, we define the product w- 


change action by: (A x B = ([A; x Bil, D; ], # il; [0;]) where 
Sz: = (64;,65;) 0 (F, 2), (A, 2) 

2. Hy = (+45, +75) o (T0, M12), (Fai, 722) 

3. 0; = (04,08) 


Notice that A(A x B, j) = (A; x Bj, Aj4i x By41, poe" jP pot! 
action in C by construction. 


j,0;) is a change 


Lemma 15. The pre-w-differential maps 77,72 are w-differential. Moreover, for 
any w-differential maps f : A> B andgG g: Â — C, the map (f, 9) = (fil, (gal) 


is w-differential, satisfying 71 © (F, g9) = f and T2 0 (F, 9) =9. 
Definition 15. Define the functor CAct,, : Cat, — Cat, as follows. 


— CAct.,(C) is the category whose objects are the w-change actions over C and 
whose morphisms are the w-differential maps. 

— If F : C — Dis a (product-preserving) functor, then CAct,,(F) : CAct.,(C) 
— CAct,(C) is the functor mapping the w-change action ([Aj], [[®:];], 
[[+<]4], [0;]) to ([F4;], [[F8;];], [EF +;];], [F0;]); and the w-differential map (fil 
to [Ff;]- 

Theorem 8. The category CAct,,(C) is cartesian, with product given in Defini- 


tion 14. Moreover if C is closed and has countable limits, CActu (C) is cartesian 
closed. 


Theorem 9. The category CAct,,(C) is equipped with a canonical change action 
model: y : CAct.,(C) => CAct(CAct,,(C)). 


Theorem 10 (Relativised final coalgebra). Let C be a change action model. 
The canonical change action model y : CActy(C) —> CAct(CAct.(C)) is a 
relativised? final coalgebra of (CAct, €). 


i.e. for all change action models on C, a: C ——*—-> CAct(C) 


C — CAct(C), there is a unique coalgebra _, | 
homomorphism a, : C > CAct.,(C), as~ [eact(a.) 
witnessed by the commuting diagram: CAct.,(C) rg CAct(CAct.,(C)) 


° Here CAct is restricted to the full subcategory of Cat, with C as the only object. 
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Proof. We first exhibit the functor a, : C —> CAct,,(C). 

Take a C-morphism f : A — B. We define the w-differential map aw( f) := f: 
A— B, where A:= ([Ai], [S,], [Fi], [0;]) is the w-change action determined by A 
under iterative actions of a. I.e. for each i > 0: A; == A’ A (by abuse of notation, 
we write AA’ to mean the carrier object of the monoid of the internal change 
action a(A’), for any C-object A’); ©; : HILA] x 9+1[A;] > I[ Ai] is specified 
by: pĝ; is the monoid action morphism of a(Aj+,); +; : MITHA] x MITHA] = 
II/+1[Aj] is specified by: py@j; is the monoid sum morphism of a(Aj+«); 0; is 
the zero object of a(A;). 

The w-sequence f := [f;] is defined by induction: fo := f; assume fn : 
(DA), — B,, is defined and suppose a( fn) = (fn; ofn) then define fn+1 = 8 fn- 

To see that the diagram commutes, notice that (f= (F, a) and CAct(a,) 
maps a(f) = (f,0f) to (F, af); then observe that If = = af follows from the 
construction of f. 

Finally to see that the functor a, is unique, consider the C-morphisms 0” f 
(n = 0,1,2,---) where a(O"f) = (O"f,O"*1f). Suppose 8 : C — CAct,,(C) 
is another homomorphism. Thanks to the commuting diagram, we must have 
II” 6(f) = B(O" f), and so, in particular (B(f))n = UI" B(f))o = (B(O"f))o = 
Ə” f, for each n > 0. Thus f = (f) as desired. 


Intuitively any change action model on C is always a “subset” of the change 
action model on CAct,,(C). 


Theorem 11. The category CAct,,(C) is the limit in Cat, of the diagram. 
D 


E 


CAct(C) = CAct(CAct(C)) = CAct(CAct(CAct(C))) E= ... 


7 Related Work, Future Directions and Conclusions 


The present work directly expands upon work by the authors and others in [2], 
where the notion of change action was developed in the context of the incremental 
evaluation of Datalog programs. This work generalizes some results in [2] and 
addresses two significant questions that had been left open, namely: how to 
construct cartesian closed categories of change actions and how to formalize 
higher-order derivatives. 

Our work is also closely related to Cockett, Seely and Cruttwell’s work on 
cartesian differential categories [3,4,7] and Cruttwell’s more recent work on gen- 
eralised cartesian differential categories [10]. Both cartesian differential cate- 
gories and change action models aim to provide a setting for differentiation, and 
the construction of w-change actions resembles the Faa di Bruno construction 
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[8,10] (especially its recent reformulation by Lemay [20]) which, given an arbi- 
trary category C, builds a cofree cartesian differential category for it. The main 
difference between these two settings lies in the specific axioms required (change 
action models are significantly weaker: see Remark 2). 

In this sense, the derivative condition is close to the Kock-Lawvere axiom 
from synthetic differential geometry [18,19], which has provided much of the 
driving intuition behind this work, and making this connection precise is the 
subject of ongoing research. 

In a different direction, the simplicity of products and exponentials in closed 
change action models (see Theorem 5) suggests that there should be a reasonable 
calculus for change action models. Exploring such a calculus and its connections 
to the differential A-calculus [11] could lead to practical applications to languages 
for incremental computation or higher-order automatic differentiation [16]. 

In conclusion, change actions and change action models constitute a new 
setting for reasoning about differentiation that is able to unify “discrete” and 
“continuous” models, as well as higher-order functions. Change actions are 
remarkably well-behaved and show tantalising connections with geometry and 
2-categories. We believe that most ad hoc notions of derivatives found in dis- 
parate subjects can be elegantly integrated into the framework of change action 
models. We therefore expect any further work in this area to have the potential 
of benefiting these notions of derivatives. 
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Abstract. Automata learning is a popular technique for inferring min- 
imal automata through membership and equivalence queries. In this 
paper, we generalise learning to the theory of coalgebras. The approach 
relies on the use of logical formulas as tests, based on a dual adjunction 
between states and logical theories. This allows us to learn, e.g., labelled 
transition systems, using Hennessy-Milner logic. Our main contribution 
is an abstract learning algorithm, together with a proof of correctness 
and termination. 


1 Introduction 


In recent years, automata learning is applied with considerable success to infer 
models of systems and in order to analyse and verify them. Most current 
approaches to active automata learning are ultimately based on the original algo- 
rithm due to Angluin [4], although numerous improvements have been made, in 
practical performance and in extending the techniques to different models [30]. 

Our aim is to move from automata to coalgebras [14,26], providing a gen- 
eralisation of learning to a wide range of state-based systems. The key insight 
underlying our work is that dual adjunctions connecting coalgebras and tailor- 
made logical languages [12,19,21,22,26] allow us to devise a generic learning 
algorithm for coalgebras that is parametric in the type of system under consid- 
eration. Our approach gives rise to a fundamental distinction between states of 
the learned system and tests, modelled as logical formulas. This distinction is 
blurred in the classical DFA algorithm, where tests are also used to specify the 
(reachable) states. It is precisely the distinction between tests and states which 
allows us to move beyond classical automata, and use, for instance, Hennessy- 
Milner logic to learn bisimilarity quotients of labelled transition systems. 

To present learning via duality we need to introduce new notions and refine 
existing ones. First, in the setting of coalgebraic modal logic, we introduce the 
new notion of sub-formula closed collections of formulas, generalising suffix- 
closed sets of words in Angluin’s algorithm (Sect.4). Second, we import the 
abstract notion of base of a functor from [8], which allows us to speak about 
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‘successor states’ (Sect. 5). In particular, the base allows us to characterise reach- 
ability of coalgebras in a clear and concise way. This yields a canonical procedure 
for computing the reachable part from a given initial state in a coalgebra, thus 
generalising the notion of a generated subframe from modal logic. 

We then rephrase coalgebra learning as the problem of inferring a coalgebra 
which is reachable, minimal and which cannot be distinguished from the original 
coalgebra held by the teacher using tests. This requires suitably adapting the 
computation of the reachable part to incorporate tests, and only learn ‘up to 
logical equivalence’. We formulate the notion of closed table, and an associated 
procedure to close tables. With all these notions in place, we can finally define our 
abstract algorithm for coalgebra learning, together with a proof of correctness 
and termination (Sect.6). Overall, we consider this correctness and termination 
proof as the main contribution of the paper; other contributions are the com- 
putation of reachability via the base and the notion of sub-formula closedness. 
At a more conceptual level, our paper shows how states and tests interact in 
automata learning, by rephrasing it in the context of a dual adjunction connect- 
ing coalgebra (systems) and algebra (logical theories). As such, we provide a new 
foundation of learning state-based systems. 


Related Work. The idea that tests in the learning algorithm should be formulas of 
a distinct logical language was proposed first in [6]. However, the work in loc. cit. 
is quite ad-hoc, confined to Boolean-valued modal logics, and did not explicitly 
use duality. This paper is a significant improvement: the dual adjunction frame- 
work and the definition of the base [8] enables us to present a description of 
Angluin’s algorithm in purely categorical terms, including a proof of correctness 
and, crucially, termination. Our abstract notion of logic also enables us to recover 
exactly the standard DFA algorithm (where tests are words) and the algorithm 
for learning Mealy machines (where test are many-valued), something that is 
not possible in [6] where tests are modal formulas. Closely related to our work 
is also the line of research initiated by [15] and followed up within the CALF 
project [11-13] which applies ideas from category theory to automata learning. 
Our approach is orthogonal to CALF: the latter focuses on learning a general 
version of automata, whereas our work is geared towards learning bisimilarity 
quotients of state-based transition systems. While CALF lends itself to studying 
automata in a large variety of base categories, our work thus far is concerned 
with varying the type of transition structures. 


2 Learning by Example 


The aim of this section is twofold: (i) to remind the reader of the key elements 
of Angluin’s L* algorithm [4] and (ii) to motivate and outline our generalisation. 

In the classical L* algorithm, the learner tries to learn a regular language £ 
over some alphabet A or, equivalently, a DFA A accepting that language. Learn- 
ing proceeds by asking queries to a teacher who has access to this automaton. 
Membership queries allow the learner to test whether a given word is in the lan- 
guage, and equivalence queries to test whether the correct DFA has been learned 
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already. The algorithm constructs so-called tables (S, Æ) where S, E C A* are 
the rows and columns of the table, respectively. The value at position (s,e) of 
the table is the answer to the membership query “se € L?”. 

Words play a double role: On the one hand, a word w € S$ represents the 
state which is reached when reading w at the initial state. On the other hand, the 
set E represents the set of membership queries that the learner is asking about 
the states in S. A table is closed if for all w € S and alla € A either wa € S or 
there is a state v € S' such that wa is equivalent to v w.r.t. membership queries 
of words in E. If a table is not closed we extend S by adding words of the form 
wa for w € S and a € A. Once it is closed, one can define a conjecture,! i.e., a 
DFA with states in S. The learner now asks the teacher whether the conjecture 
is correct. If it is, the algorithm terminates. Otherwise the teacher provides a 
counterexample: a word on which the conjecture is incorrect. The table is now 
extended using the counterexample. As a result, the table is not closed anymore 
and the algorithm continues again by closing the table. 

Our version of L* introduces some key conceptual differences: tables are pairs 
(S,W) such that S (set of rows) is a selection of states of A and W (set of 
columns) is a collection of tests/formulas. Membership queries become checks 
of tests in W at states in S and equivalence queries verify whether or not the 
learned structure is logically equivalent to the original one. A table (.5,W) is 
closed if for all successors x’ of elements of S there exists an x € S such that x 
and x’ are equivalent w.r.t. formulas in W. The clear distinction between states 
and tests in our algorithm means that counterexamples are formulas that have 
to be added to W. Crucially, the move from words to formulas allows us to use 
the rich theory of coalgebra and coalgebraic logic to devise a generic algorithm. 

We consider two examples within our generic framework: classical DFAs, 
yielding essentially the L* algorithm, and labelled transition systems, which is to 
the best of our knowledge not covered by standard automata learning algorithms. 

For the DFA case, let L = {u € {a,b}* | number of a’s mod 3 = 0} and 
assume that the teacher uses the following (infinite) automaton describing L: 


66:6-6-6-6-6-6:- 


As outlined above, the learner starts to construct tables ( ) where S is a 
selection of states of the automaton and W are formulas. Ka N we will see 
(Example 1) that our formulas are just words in {a,b}*. Our starting table is 
({q0}, 0), i.e., we select the initial state and do not check any logical proper- 
ties. This table is trivially closed, as all states are equivalent w.r.t. Ø. The first 
conjecture is the automaton consisting of one accepting state qo with a- and 
b-loops, whose language is {a,b}*. This is incorrect and the teacher provides, 
e.g., aa as counterexample. The resulting table is ({qo}, {e,a,aa}) where the 


1 The algorithm additionally requires consistency, but this is not needed if counterex- 
amples are added to EL. This idea goes back to [22]. 
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second component was generated by closing {aa} under suffixes. Suffix closed- 
ness features both in the original L* algorithm and in our framework (Sect. 4). 
The table ({qo}, {€,a,aa}) is not closed as q1, the a-successor of go, does not 
accept € whereas qo does. Therefore we extend the table to ({q0, qi}, {€, a, aa}). 
Note that, unlike in the classical setting, exploring successors of already selected 
states cannot be achieved by appending letters to words, but we need to locally 
employ the transition structure on the automaton A instead. A similar argument 
shows that we need to extend the table further to ({qo, q1, g2}, {€, a, aa}) which 
is closed. This leads to the (correct) conjecture depicted on the right below. The 
acceptance condition and transition structure has been read off from the original 
automaton, where the transition from q2 to go is obtained by realising that q2’s 
successor q3 is represented by the equivalent state qo € S. 

A key feature of our work is that the L* algo- 
rithm can be systematically generalised to new set- 
tings, in particular, to the learning of bisimulation 
quotients of transition systems. Consider the follow- 
ing labelled transition system (LTS). We would like 
to learn its minimal representation, i.e., its quotient modulo bisimulation. 

Our setting allows us 
to choose a suitable log- 
ical language. For LTSs, 
the language consists of 
the formulas of stan- 
dard multi-modal logic 
(cf. Example 3). The 
semantics is as usual where (a) ¢@ holds at a state if it has an a-successor that 
makes ¢ true. 

As above, the algorithm constructs tables, starting with (S = {z0}, ¥ = 9). 
The table is closed, so the first conjecture is a single state with an a-loop with no 
proposition letter true (note that zo has no b or c successor and no proposition 
is true at zo). It is, however, easy for the teacher to find a counterexample. For 
example, the formula (a) (b) T is true at the root of the original LTS but false 
in the conjecture. We add the counterexample and all its subformulas to ¥ and 
obtain a new table ({xzo},W’} with W’ = {(a) (b) T, (b) T, T}. Now, the table 
is not closed, as x has successor x; that satisfies (b) T whereas x9 does not 
satisfy (b) T. Therefore we add x to the table to obtain ({%o, £1}, Y”). Similar 
arguments will lead to the closed table ({£0, £1, £3, 4}, W’) which also yields the 
correct conjecture. Note that the state x2 does not get added to the table as it is 
equivalent to x; and thus already represented. This demonstrates a remarkable 
fact: we computed the bisimulation quotient of the LTS without inspecting the 
(infinite) right-hand side of the LTS. 

Another important example that fits smoothly into our framework is the well- 
known variant of Angluin’s algorithm to learn Mealy machines (Example 2). 
Thanks to our general notion of logic, our framework allows to use an intuitive 
language, where a formula is simply an input word w whose truth value at a state 
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x is the observed output after entering w at x. This is in contrast to [6] where for- 
mulas had to be Boolean valued. Multi-valued logics fit naturally in our setting; 
this is expected to be useful to deal with systems with quantitative information. 


3 Preliminaries 


The general learning algorithm in this paper is based on the theory of coalgebras, 
which provides an abstract framework for representing state-based transition 
systems. In what follows we assume that the reader is familiar with basic notions 
of category theory and coalgebras [14,26]. We briefly recall the notion of pointed 
coalgebra, modelling a coalgebra with an initial state. Let C be a category with 
a terminal object 1 and let B: C — C be a functor. A pointed B-coalgebra is a 
triple (X, y, zo) where X € C and y: X — BX and zo: 1 — X, specifying the 
coalgebra structure and the point (“initial state”) of the coalgebra, respectively. 


Coalgebraic Modal Logic. Modal logics are used to describe properties of state- 
based systems, modelled here as coalgebras. The close relationship between coal- 
gebras and their logics is described elegantly via dual adjunctions [18, 20, 21,24]. 
Our basic setting consists of two categories C,D connected by func- 
tors P,Q forming a dual adjunction P 4 Q:C 5 DP, In other 
words, we have a natural bijection C(X,QA) = D(A,PX) for X € 
C,A € D. Moreover, we assume two functors, B:C — C,L:D — D, 
see (1). The functor L represents the P 
syntax of the (modalities in the) logic: B © C L gop D L (1) 
assuming that L has an initial algebra a al 
a: L — $ we think of @ as the col- 
lection of formulas, or tests. In this logical perspective, the functor P maps an 
object X of C to the collection of predicates and the functor Q maps an object 
A of D to the collection QA of A-theories. 
The connection between coalgebras and their logics is specified via 
a natural transformation 6: LP = PB, sometimes referred to as 
the one-step semantics of the logic. The LU] 5x 
ô is used to define the semantics of L% - - > LPX —— PBX 
the logic on a B-coalgebra (X, y) by aj a] | Py (2) 
initiality, as in (2). Furthermore, using p ae > PX 
the bijective correspondence of the dual 
adjunction between P and Q, the map [_] corresponds to a map th”: X — QS 
that we will refer to as the theory map of (X,7). 
The theory map can be expressed pun 5b, 
directly via a universal property, by BX — - > BQP —+ QLP 
making use of the so-called mate vf tea (3) 
0°: BQ = QL of the one-step semantics X alih” > Ob 
ô (cf. [18,24]). More precisely, we have 
& = QLe o QQ o nBQ, where ņ,£ are the unit and counit of the adjunction. 
Then th”: X — Q@ is the unique morphism making (3) commute. 
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Example 1. Let C = D = Set, P = Q = 27 the contravariant power set functor, 
B =2x —^ and L= 1 + A x —. In this case B-coalgebras can be thought of as 
deterministic automata with input alphabet A (e.g., [25]). It is well-known that 
the initial L-algebra is = A* with structure a = |e, cons]: 1+ A x A* > A* 
where e selects the empty word and cons maps a pair (a, w) E€ Ax A* to the word 
aw € A%*, i.e., in this example our tests are words with the intuitive meaning 
that a test succeeds if the word is accepted by the given automaton. For X €C, 
the X-component of the (one-step) semantics 6: LP = PB is defined as follows: 
6x(*) ={(i, f) €2x X4|i=1}, and 6x(a,U) = {(i, f) €2 x X4 | f(a) € U}. 
It is matter of routine checking that the semantics of tests in ® on a B-coalgebra 
(X,7) is as follows: we have |e] = {a € X | m1(y(x)) = 1} and [aw] = {x € X | 
m(y(x))(a) € [w]}, where mı and 7 are the projection maps. The theory map 
th” sends a state to the language accepted by that state in the usual way. 


Example 2. Again let C = D = Set and consider the functors P = Q = O7, 
B = (O x —)^ and L = Ax (1+ —), where A and O are fixed sets, thought of as 
input and output alphabet, respectively. Then B-coalgebras are Mealy machines 
and the initial L-algebra is given by the set A* of finite non-empty words over 
A. For X € C, the one-step semantics dx: A x (1 + O*) — O®* is defined 
by 6x(a,inl(*x)) = Af.mi(f(a)) and 6x(a,inr(g)) = Af.g(2(f(a))). Concretely, 
formulas are words in At; the (O-valued) semantics of w € At at state x is the 
output o € O that is produced after processing the input w from state x. 


Example 8. Let C = Set and D = BA, where the latter denotes the cate- 
gory of Boolean algebras. Again P = 27, but this time 2* is interpreted as 
a Boolean algebra. The functor Q maps a Boolean algebra to the collection 
of ultrafilters over it [7]. Furthermore B = (P—)4 where P denotes covariant 
power set and A a set of actions. Coalgebras for this functor correspond to 
labelled transition systems, where a state has a set of successors that depends 
on the action/input from A. The dual functor L: BA — BA is defined as 
LY := Fea({(a)y | a € A,y € Y})/ = where Fpa: Set — BA denotes the 
free Boolean algebra functor and where, roughly speaking, = is the congruence 
generated from the axioms (a) L = L and (a) (y1 V y2) = (a) (y1) V la) (y2) 
for each a € A. This is explained in more detail in [21]. The initial algebra for 
this functor is the so-called Lindenbaum-Tarski algebra [7] of modal formulas 
(¢:=L| 6V é| 7d | (a) ġ) quotiented by logical equivalence. The definition of 
an appropriate ô can be found in, e.g., [21]—the semantics [_] of a formula then 
amounts to the standard one [7]. 


Different types of probabilistic transition systems also fit into the dual 
adjunction framework, see, e.g, [17]. 


Subobjects and Intersection-Preserving Functors. We denote by Sub(X) the col- 
lection of subobjects of an object X € C. Let < be the order on subobjects 
s: S > X,s': S' >> X given by s < s’ iff there is m: S > S’ s.t. s = s'om. The 
intersection N J > X of a family J = {s;: Si — X biez is defined as the greatest 
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lower bound w.r.t. the order <. In a complete category, it can be computed by 
(wide) pullback. We denote the maps in the limiting cone by 2;: A J — Si. 
For a functor B: C — D, we say B preserves (wide) intersections if it 
preserves these wide pullbacks, i.e., if (B(A J),{Bai}ier) is the pullback of 
{Bs;: BS; — BX}ier. By [2, Lemma 3.53] (building on [29]), finitary func- 
tors on Set ‘almost’ preserve wide intersections: for every such functor B there 
is a functor B’ which preserves wide intersections and agrees with B on all 
non-empty sets. Finally, if B preserves intersections, then it preserves monos. 


Minimality Notions. The algorithm that we will describe in this paper learns 
a minimal and reachable representation of an object. The intuitive notions of 
minimality and reachability are formalised as follows. 


Definition 4. We call a B-coalgebra (X, y) minimal w.r.t. logical equivalence 
if the theory map th: X — QS is a monomorphism. 


Definition 5. We call a pointed B-coalgebra (X,Y, £o) reachable if for any sub- 
object s: S > X and so: 1 S with zo = so so: if S is a subcoalgebra of (X,+7) 
then s is an isomorphism. 


For expressive logics [27], behavioural equivalence coincides with logical equiv- 
alence. Hence, in that case, our algorithm learns a “well-pointed coalgebra” in 
the terminology of [2], i.e., a pointed coalgebra that is reachable and minimal 
w.r.t. behavioural equivalence. All logics appearing in this paper are expressive. 


Assumption on C and Factorisation System. Throughout the paper we will 
assume that C is a complete and well-powered category. Well-powered means that 
for each X € C the collection Sub(X) of subobjects of a given object forms a set. 
Our assumptions imply [10, Proposition 4.4.3] that every morphism f in C factors 
uniquely (up to isomorphism) as f = moe with m a mono and e a strong epi. 
Recall that an epimorphism e: X — 


Y is strong if for every commutative XY ae Y 

square in (4) where the bottom arrow is a A la (4) 
a monomorphism, there exists a unique wd 

diagonal morphism d such that the U n>? Z 


entire diagram commutes. 


4 Subformula Closed Collections of Formulas 


Our learning algorithm will construct conjectures that are “partially” cor- 
rect, i.e., correct with respect to a subobject of the collection of all formu- 
las/tests. Recall this collection of all tests are formalised in our setting as 
the initial L-algebra (,a: L — ©). To define a notion of partial correct- 
ness we need to consider subobjects of ® to which we can restrict the theory 
map. This is formalised via the notion of “subformula closed” subobject of ©. 
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The definition of such subobjects is based on the 
notion of recursive coalgebra. For L: D — D an 
endofunctor, a coalgebra f: X — LX is called s| 
recursive if for every L-algebra g: LY — Y there 
is a unique ‘coalgebra-to-algebra’ map g’ mak- 
ing (5) commute. 


: 
LX G LY 

|s (5) 
t 


X — Y 


Definition 6. A subobject j: W — ® is called a subformula closed collection (of 
formulas) if there is a unique L-coalgebra structure o: W — LW such that (Y, 0) 
is a recursive L-coalgebra and j is the (necessarily unique) coalgebra-to-algebra 
map from (W,o) to the initial algebra (®, a). 


Remark 7. The uniqueness of o in Definition 6 is implied if L preserves 
monomorphisms. This is the case in our examples. The notion of recursive coal- 
gebra goes back to [23,28]. The paper [1] contains a claim that the first item 
of our definition of subformula closed collection is implied by the second one 
if L preserves preimages. In our examples both properties of (W, o) are verified 
directly, rather than by relying on general categorical results. 


Example 8. In the setting of Example 1, where the initial Z-algebra is based on 
the set A* of words over the set (of inputs) A, a subset W C A* is subformula- 
closed if it is suffix-closed, i.e., if for all aw € W we have w € W as well. 


Example 9. In the setting that B = (P—)4 for some set of actions A, C = Set 
and D = BA, the logic is given as a functor L on Boolean algebras as discussed in 
Example 3. As a subformula closed collection is an object in WY, we are not simply 
dealing with a set of formulas, but with a Boolean algebra. The connection to 
the standard notion of being closed under taking subformulas in modal logic [7] 
can be sketched as follows: given a set A of modal formulas that is closed under 
taking subformulas, we define a Boolean algebra W4 C @ as the smallest Boolean 
subalgebra of ® that is generated by the set A = {i]s | ¢ € A} where for a 
formula ¢ we let [¢]6 € ® denote its equivalence class in &. 

It is then not difficult to define a suitable o: Wy — LWy. As Wy is generated 
by closing A under Boolean operations, any two states x1, 2 in a given coalgebra 
(X,7) satisfy (Vb € Wy.01 € [b] & z2 € [b]) iff (vo Âx € [b] 6 22 [1). 
In other words, equivalence w.r.t. WA coincides with equivalence w.r.t. the set of 
formulas A. This explains why in the concrete algorithm, we do not deal with 
Boolean algebras explicitly, but with subformula closed sets of formulas instead. 


The key property of subformula thy, 
closed collections W is that we can x > QU 
restrict our attention to the so-called | foz (6) 
W-theory map. Intuitively, subformula Bih? 5° 
tA Ww 
closedness is what allows us to define BX —~+>BQU —— QLY 


this theory map inductively. 
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Lemma 10. Let > & be a sub-formula closed collection, with coalgebra struc- 
ture o: VW — LW. Then th}, = Qj o thy is the unique map making (6) commute. 
We call th}, the W-theory map, and omit the W if it is clear from the context. 


5 Reachability and the Base 


In this section, we define the notion of base of an endofunctor, taken from [8]. 
This allows us to speak about the (direct) successors of states in a coalgebra, 
and about reachability, which are essential ingredients of the learning algorithm. 


Definition 11. Let B: C — C be an endofunctor. We say B has a base if for 
every arrow f: X — BY there exist g: X — BZ andm: Z = Y with m a 
monomorphism such that f = Bmog, and for any pair g': X > BZ',m': Z' > 
Y with Bm'og’ = f and m’ a monomorphism there is a unique arrow h: Z > Z' 
such that Bhog = g' and m'o h = m, see Diagram (7). We call (Z,g,m) the 
(B)-base of the morphism f. 


We sometimes refer to m: Z — Y as the 4 
base of f, omitting the g when it is irrelevant, X BZ . BY 
or clear from the context. Note that the ter- 9 Bim 
í t 5 Cn a ve E [pn (7) 
minology ‘the’ base is justified, as it is easily 
seen to be unique up to isomorphism. g BZ' Bm! 


For example, let B: Set — Set, BX = 
2x X^. The base of a map f: X — BY is given by m: Z — Y, where Z = 
{(m2 0 f)(x)(a) | £ € X,a € A}, and m is the inclusion. The associated g: X > 
BZ is the corestriction of f to BZ. 

For B = (P—)“: Set — Set, the B-base of f : X — Y is given by the inclusion 
m: Z = Y, where Z = {y € Y | Jx € X, Jac Ast. ye f(ax)(a)}. 


Proposition 12. Suppose C is complete and well-powered, and B: C — C pre- 
serves (wide) intersections. Then B has a base. 


If C is a locally presentable category, then it is complete and well-powered [3, 
Remark 1.56]. Hence, in that case, any functor B: C — C which preserves inter- 
sections has a base. The following lemma will be useful in proofs. 


Lemma 13. Let B: C — C be a functor that has a base and that preserves pre- 
images. Let f: S + BX and h: X > Y be morphisms, let (Z, g, m) be the base 
of f and let e: Z > W,m': W — Y be the (strong epi, mono)-factorisation of 
hom. Then (W, Beog,m’) is the base of Bho f. 


The B-base provides an elegant way to relate reachability within a coalgebra 
to a monotone operator on the (complete) lattice of subobjects of the carrier of 
the coalgebra. Moreover, we will see that the least subcoalgebra that contains 
a given subobject of the carrier can be obtained via a standard least fixpoint 
construction. Finally, we will introduce the notion of prefix closed subobject of a 
coalgebra, generalising the prefix closedness condition from Angluin’s algorithm. 
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By our assumption on C at the end of Sect.3, the collection of subobjects 
(Sub(X), <) ordered as usual (cf. Section 3) forms a complete lattice. Recall that 
the meet on Sub(X) (intersection) is defined via pullbacks. In categories with 
coproducts, the join sı V s2 of subobjects s1, S2 E Sub(X) is defined as the mono 
part of the factorisation of the map [s1, s2]: S1+S2 —> X, i.e., [s1, 52] = (s1Vs2)oe 
for a strong epi e. In Set, this amounts to taking the union of subsets. 

For a binary join sı V s2 we denote by 
inly: Sı > (S1 V S2) and inry: S2 > (S1 V S2) 
the embeddings that exist by s; < sı V s2 for g | |; (8) 
i= {1, 2}. Let us now define the key operator BI(S) Ptr ey 
of this section. 


Qa N 


Definition 14. Let B be a functor that has a base, s: S — X a subobject of 
some X €C and let (X, y) be a B-coalgebra. Let (T(S), g, T? (8)) be the B-base 


of yos, see Diagram (8). Whenever B and y are clear from the context, we write 
I'(s) instead of T? (s). 


Lemma 15. Let B: C — C be a functor with a base and let (X,y) be a B- 
coalgebra. The operator T: Sub(X) — Sub(X) defined by s œ T (s) is monotone. 


Intuitively, I’ computes for a given set of states S the set of “immediate succes- 
sors”, i.e., the set of states that can be reached by applying y to an element of S. 
We will see that pre-fixpoints of I’ correspond to subcoalgebras. Furthermore, 
I is the key to formulate our notion of closed table in the learning algorithm. 


Proposition 16. Lets: S >— X be a subobject and (X, y) € Coalg(B) for X € C 
and B: C — C a functor that has a base. Then s is a subcoalgebra of (X, q) if 
and only if I'(s) < s. Consequently, the collection of subcoalgebras of a given 
B-coalgebra forms a complete lattice. 


Using this connection, reachability of a pointed coalgebra (Definition 5) can be 
expressed in terms of the least fixpoint Ifp of an operator defined in terms of I’. 


Theorem 17. Let B: C — C be a functor that has a base. A pointed B-coalgebra 
(X,Y, £o) is reachable iff X = Ifp(I' V xq) (isomorphic as subobjects of X, i.e., 
equal). 


This justifies defining the reachable part from an initial state 79: 1 — X as the 
least fixpoint of the monotone operator I V xp. Standard means of computing 
the least fixpoint by iterating this operator then give us a way to compute this 
subcoalgebra. Further, I’ provides a way to generalise the notion of “prefixed 
closedness” from Angluin’s L* algorithm to our categorical setting. 


Definition 18. Let so,s E€ Sub(X) for some X € C and let (X,7y) be a B- 
coalgebra. We call s sg-prefix closed w.r.t. y if s = Vio si for some n > 0 and 
a collection {s; | i =1,...,n} with sj+1 < T(Vj-osi) for all j with 0O < j <n. 
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6 Learning Algorithm 


We define a general learning algorithm for B-coalgebras. First, we describe 
the setting, in general and slightly informal terms. The teacher has a pointed 
B-coalgebra (X, 7, so). Our task is to ‘learn’ a pointed B-coalgebra (S, 74, ŝo) s-t.: 


— (5,4, 80) is correct w.r.t. the collection ® of all tests, i.e., the theory of (X, 7) 
and (5,4) coincide on the initial states sọ and 80, (Definition 25); 

— (5,4, ŝo) is minimal w.r.t. logical equivalence; 

— (S,¥, 80) is reachable. 


The first point means that the learned coalgebra is ‘correct’, that is, it agrees 
with the coalgebra of the teacher on all possible tests from the initial state. For 
instance, in case of deterministic automata and their logic in Example 1, this 
just means that the language of the learned automaton is the correct one. 

In the learning game, we are only provided limited access to the coalgebra 
y: X — BX. Concretely, the teacher gives us: 


— for any subobject S >—> X and sub-formula closed subobject W of ®, the 


a 
composite theory map S »—> X a, QY; 

— for (S,Ẹ, 89) a pointed coalgebra, whether or not it is correct w.r.t. the col- 
lection & of all tests; 

— in case of a negative answer to the previous question, a countererample, which 
essentially is a subobject W’ of ® representing some tests on which the learned 
coalgebra is wrong (defined more precisely below); 

— for a given subobject S of X, the ‘next states’; formally, the computation of 


the B-base of the composite arrow S »>—>» X —-> BX. 


The first three points correspond respectively to the standard notions of mem- 
bership query (‘filling in’ the table with rows S and columns W), equivalence 
query and counterexample generation. The last point, about the base, is more 
unusual: it does not occur in the standard algorithm, since there a canonical 
choice of (X, y) is used, which allows to represent next states in a fixed manner. 
It is required in our setting of an arbitrary coalgebra (X,7). 

In the remainder of this section, we describe the abstract learning algorithm 
and its correctness. First, we describe the basic ingredients needed for the algo- 
rithm: tables, closedness, counterexamples and a procedure to close a given table 
(Sect. 6.1). Based on these notions, the actual algorithm is presented (Sect. 6.2), 
followed by proofs of correctness and termination (Sect. 6.3). 


Assumption 19. Throughout this section, we assume 


that we deal with coalgebras over the base category C = Set; 

— a functor B: C — C that preserves pre-images and wide intersections; 

— a category D with an initial object 0 s.t. arrows with domain 0 are monic; 
a functor L: D— D with an initial algebra LÐ = p; 

- an adjunction P 1 Q: C SDP, and a logic 6: LP > PB. 
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Moreover, we assume a pointed B-coalgebra (X, 7, so). 


Remark 20. We restrict to C = Set, but see it as a key contribution to state the 
algorithm in categorical terms: the assumptions cover a wide class of functors 
on Set, which is the main direction of generalisation. Further, the categorical 
approach will enable future generalisations. The assumptions on the category C 
are: it is complete, well-powered and satisfies that for all (strong) epis q: S > 
S € C and all monos i: S$’ — S such that q o i is mono there is a morphism 
qt: S — S such that (i) goq7! = id and q7! oqoi =i. 


6.1 Tables and Counterexamples 


Definition 21. A table is a pair (S +, XW a B) consisting of a subobject s 
of X and a subformula-closed subobject i of B. 


To make the notation a bit lighter, we sometimes refer to a table by (S, Y), using 
s and i respectively to refer to the actual subobjects. The pair (S, Y) represents 
‘rows’ and ‘columns’ respectively, in the table; the ‘elements’ of the table are 
given abstractly by the map th% o s. In particular, if C = D = Set and Q = 27, 
then this is a map S — 2”, assigning a Boolean value to every pair of a row 
(state) and a column (formula). ia 

For the definition of closedness, S — X — QY 
we use the operator T(S) from Def- «| we (9) 
inition 14, which characterises the th” 
successors of a subobject S — X. I(S) To)’ x 


Definition 22. A table (S,W) is closed if there exists a map k: T(S) > S 
such that Diagram (9) commutes. A table (S,W) is sharp if the composite map 


th? 
S — X ——> QU is monic. 


Thus, a table (S, W) is closed if all the successors of states (elements of T'(S)) 

are already represented in S, up to equivalence w.r.t. the tests in W. In other 

terms, the rows corresponding to successors of existing rows are already in the 

table. Sharpness amounts to minimality w.r.t. logical equivalence: every row has 

a unique value. The latter will be an invariant of the algorithm (Theorem 32). 
A conjecture is a coalgebra on S, g s xy 7, py 


which is not quite a subcoalgebra of 
X: instead, it is a subcoalgebra ‘up to al Jaw (10) 
equivalence w.r.t. W, that is, the suc- BS —— BX sa BQU 

s th? 


cessors agree up to logical equivalence. 
Definition 23. Let (S,W) be a table. A coalgebra structure +: S — BS is called 
a conjecture (for (S,W)) if Diagram (10) commutes. 

It is essential to be able to construct a conjecture from a closed table. The 
following, stronger result is a variation of Proposition 16. 


Theorem 24. A sharp table is closed iff there exists a conjecture for it. More- 
over, if the table is sharp and B preserves monos, then this conjecture is unique. 
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Our goal is to learn a pointed coalgebra X 

which is correct w.r.t. all formulas. To a (11) 
this aim we ensure correctness w.r.t. 

an increasing sequence of subformula 1 a S = Qu 


closed collections W. 


Definition 25. Let (S,W) be a table, and let (S,4, 80) be a pointed B-coalgebra 
on S. We say (5,4, 80) is correct w.r.t. Y if Diagram (11) commutes. 
All conjectures constructed during the learning algorithm will be correct w.r.t. 
the subformula closed collection ¥ of formulas under consideration. 
Lemma 26. Suppose (S,W) is closed, and Ẹ is a conjecture. Then th% os = 
th: S — QW. If 8: 1 — S satisfies so ŝo = so then (S,4, 89) is correct w.r.t. W. 
We next define the crucial notion of counterexample to a pointed coalgebra: a 
subobject W’ of W on which it is ‘incorrect’. 
Definition 27. Let (S,W) be a table, and let (S,4, 80) be a pointed B-coalgebra 
on S. Let W' be a subformula closed subobject of B, such that Y is a subcoalgebra 
of ©’. We say W’ is a counterexample (for (5,4, 80), extending W) if (5,4, 80) 
is not correct w.r.t. W'. 
The following elementary lemma states that if there are no more counterexamples 
for a coalgebra, then it is correct w.r.t. the object ® of all formulas. 
Lemma 28. Let (S,W) be a table, and let (5,4, 80) be a pointed B-coalgebra on 
S. Suppose that there are no countereramples for (5,4, 80) extending Y. Then 
(5,4, 80) is correct w.r.t. Ð. 

The following describes, for a given table, how to extend it with the successors 
(in X) of all states in S. As we will see below, by repeatedly applying this 
construction, one eventually obtains a closed table. 
Definition 29. Let (S,W) be a sharp table. Let (S,q,r) be the (strong epi, 
mono)-factorisation of the map th” o (s V k as in the diagram: 


oe 


SVI(S) xË, 


w 


We define close(S,W) := {3: S > X | th” o3 =r,s <35 < sVT(s)}. For each 
5 € close(S,W) we have s < 5 and thus s = 50% for some k: SS. 

Lemma 30. In Definition 29, for each 5 € close(S,W), we have k = qo inly. 
We will refer to & = q o inly as the connecting map from s to 8. 

Lemma 31. In Definition 29, if there exists q1: S > S V T(S) such that 
qoq! =id and q7! oqo inly = inly, then close(S,W) is non-empty. 


By our assumptions, the hypothesis of Lemma 31 is satisfied (Remark 20), hence 
close(S, W) is non-empty. It is precisely (and only) at this point that we need the 
strong condition about existence of right inverses to epimorphisms. 
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6.2 The Algorithm 


Having defined closedness, counterexamples and a procedure for closing a table, 
we are ready to define the abstract algorithm. In the algorithm, the teacher 
has access to a function counter((S, 7, 89),W), which returns the set of all coun- 
terexamples (extending Y) for the conjecture (5,4, 8). If this set is empty, the 
coalgebra (5,4, 80) is correct (see Lemma 28), otherwise the teacher picks one 
of its elements W’. We also make use of close( S, Y), as given in Definition 29. 


Algorithm 1. Abstract learning algorithm 


1: (SX) (15 X) 

2: ŝo — idı 

3: ¥— 0 

4: while true do 

5: while (S Š X, W) is not closed do 

6: let (S = X) € close(S,W), with connecting map Kx: S = S$ 
7: (SÈ X) (5> X) 

8: ŝo — KO ŝo 

9: end while 
10: let (S,4) be a conjecture for (S, W) 
11: if counter((S, 7, 8&0), Y) =@ then 
12: return (S, 4, 80) 
13: else 
14: W —wW’ for some W’ € counter((S, 4, 80), Y) 
15: end if 


16: end while 


The algorithm takes as input the coalgebra (X,7,8 9) (which we fixed 
throughout this section). In every iteration of the outside loop, the table is 
first closed by repeatedly applying the procedure in Definition 29. Then, if the 
conjecture corresponding to the closed table is correct, the algorithm returns it 
(Line 12). Otherwise, a counterexample is chosen (Line 14), and the algorithm 
continues. 


6.3 Correctness and Termination 


Correctness is stated in Theorem 33. It relies on establishing loop invariants: 


Theorem 32. The following is an invariant of both loops in Algorithm 1 in 
Sect. 6.2: 1. (S,W) is sharp, 2. so ŝo = so, and 8. s is s9-prefix closed w.r.t. y. 


Theorem 33. If Algorithm 1 in Sect. 6.2 terminates, then it returns a pointed 
coalgebra (S, 4,80) which is minimal w.r.t. logical equivalence, reachable and cor- 
rect w.r.t. P. 
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In our termination arguments, we have to make an assumption about the 
coalgebra which is to be learned. It does not need to be finite itself, but it 
should be finite up to logical equivalence—in the case of deterministic automata, 
for instance, this means the teacher has a (possibly infinite) automaton repre- 
senting a regular language. To speak about this precisely, let W be a subob- 
ject of &. We take a (strong epi, mono)-factorisation of the theory map, i.e., 
thy = (x | Xe 


= QW | for some strong epi e and mono m. We call 


the object |X|p in the middle the W-logical quotient. For the termination result 
(Theorem 37), |X|o is assumed to have finitely many quotients and subobjects, 
which just amounts to finiteness, in Set. 

We start with termination of the inner while loop (Corollary 36). This relies 
on two results: first, that once the connecting map & is an iso, the table is closed, 
and second, that—under a suitable assumption on the coalgebra (X, y)—during 
execution of the inner while loop, the map « will eventually be an iso. 


Theorem 34. Let (S,W) be a sharp table, let S € close(S,W) and let kK: S — S 
be the connecting map. If k is an isomorphism, then (S,W) is closed. 


Lemma 35. Consider a sequence of sharp tables (Si ua X, W)ien such that 
Si41 © close(S;,W) for all i. Moreover, let (ki: Si —> Si+ı)ien be the connect- 
ing maps (Definition 29). If the logical quotient |X|o of X has finitely many 
subobjects, then ri is an isomorphism for some i € N. 


Corollary 36. If the ®-logical quotient |X| has finitely many subobjects, then 
the inner while loop of Algorithm 1 terminates. 


For the outer loop, we assume that |X|o has finitely many quotients, ensuring 
that every sequence of counterexamples proposed by the teacher is finite. 


Theorem 37. If the ®-logical quotient |X| has finitely many quotients and 
finitely many subobjects, then Algorithm 1 terminates. 


7 Future Work 


We showed how duality plays a natural role in automata learning, through the 
central connection between states and tests. Based on this foundation, we proved 
correctness and termination of an abstract algorithm for coalgebra learning. The 
generality is not so much in the base category (which, for the algorithm, we take 
to be Set) but rather in the functor used; we only require a few mild conditions 
on the functor, and make no assumptions about its shape. The approach is thus 
considered coalgebra learning rather than automata learning. 

Returning to automata, an interesting direction is to extend the present work 
to cover learning of, e.g., non-deterministic or alternating automata [5,9] for a 
regular language. This would require explicitly handling branching in the type of 
coalgebra. One promising direction would be to incorporate the forgetful logics 
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of [19], which are defined within the same framework of coalgebraic logic as the 
current work. It is not difficult to define in this setting what it means for a table 
to be closed ‘up to the branching part’, stating, e.g., that even though the table 
is not closed, all the successors of rows are present as combinations of other rows. 

Another approach would be to integrate monads into our framework, which 
are also used to handle branching within the theory of coalgebras [16]. It is an 
intriguing question whether the current approach, which allows to move beyond 
automata-like examples, can be combined with the CALF framework [13], which 
is very far in handling branching occurring in various kinds of automata. 


Acknowledgments. We are grateful to Joshua Moerman, Nick Bezhanishvili, Gerco 
van Heerdt, Aleks Kissinger and Stefan Milius for valuable discussions and suggestions. 
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Abstract. In 2008, Ben-Amram, Jones and Kristiansen showed that for 
a simple programming language—representing non-deterministic imper- 
ative programs with bounded loops, and arithmetics limited to addition 
and multiplication—it is possible to decide precisely whether a program 
has certain growth-rate properties, in particular whether a computed 
value, or the program’s running time, has a polynomial growth rate. 

A natural and intriguing problem was to improve the precision of the 
information obtained. This paper shows how to obtain asymptotically- 
tight multivariate polynomial bounds for this class of programs. This is a 
complete solution: whenever a polynomial bound exists it will be found. 


1 Introduction 


One of the most important properties we would like to know about programs is 
their resource usage, i.e., the amount of resources (such as time, memory and 
energy) required for their execution. This information is useful during devel- 
opment, when performance bugs and security vulnerabilities exploiting perfor- 
mance issues can be avoided. It is also particularly relevant for mobile applica- 
tions, where resources are limited, and for cloud services, where resource usage 
is a major cost factor. 

In the literature, a lot of different “cost analysis” problems (also called 
“resource bound analysis,” etc.) have been studied (e.g. [1,11,13,18, 19,24, 26, 
27]); several of them may be grouped under the following general definition. The 
countable resource problem asks about the maximum usage of a “resource” that 
accumulates during execution, and which one can explicitly count, by instru- 
menting the program with an accumulator variable and instructions to incre- 
ment it where necessary. For example, we can estimate the execution time of 
a program by counting certain “basic steps”. Another example is counting the 
number of visits to designated program locations. Realistic problems of this type 
include bounding the number of calls to specific functions, perhaps to system 
services; the number of I/O operations; number of accesses to memory, etc. The 
consumption of resources such as energy suits our problem formulation as long 
as such explicit bookkeeping is possible (we have to assume that the increments, 
if not constant, are given by a monotone polynomial expression). 


© The Author(s) 2019 
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In this paper we solve the bound analysis problem for a particular class of 
programs, defined in [7]. The bound analysis problem is to find symbolic bounds 
on the maximal possible value of an integer variable at the end of the program, 
in terms of some integer-valued variables that appear in the initial state of a 
computation. Thus, a solution to this problem might be used for any of the 
resource-bound analyses above. In this work we focus on values that grow poly- 
nomially (in the sense of being bounded by a polynomial), and our goal is to find 
polynomial bounds that are tight, in the sense of being precise up to a constant 
factor. 

The programs we study are expressed by the so-called core language. It is 
imperative, including bounded loops, non-deterministic branches and restricted 
arithmetic expressions; the syntax is shown in Fig. 1. Semantics is explained and 
motivated below, but is largely intuitive; see also the illustrative example in 
Fig. 2. In 2008, it was proved [7] that for this language it is decidable whether 
a computed result is polynomially bounded or not. This makes the language an 
attractive target for work on the problem of computing tight bounds. However, 
for the past ten years there has been no improvement on [7]. We now present an 
algorithm to compute, for every program in the language, and every variable in 
the program which has a polynomial upper bound (in terms of input values), a 
tight polynomial bound on its largest attainable value (informally, “the worst- 
case value” ) as a function of the input values. The bound is guaranteed to be tight 
up to a multiplicative constant factor but constants are left implicit (for example 
a bound quadratic in n will always be represented as n?). The algorithm could 
be extended to compute upper and lower bounds with explicit constant factors, 
but choosing to ignore coefficients simplifies the algorithm considerably. In fact, 
we have striven for a simple, comprehensible algorithm, and we believe that the 
algorithm we present is sufficiently simple that, beyond being comprehensible, 
offers insight into the structure of computations in this model. 


1.1 The Core Language 


Data. It is convenient to assume (without loss of generality) that the only type 
of data is non-negative integers. Note that a realistic (not “core”) program may 
include many statements that manipulate non-integer data that are not rele- 
vant to loop control—so in a complexity analysis, we may be able to abstract 
these parts away and still analyze the variables of interest. In other cases, it is 


X € Variable ::= Xj, | Xo | X3 | Skil | Xn 
E € Expression := X|E+E|E* E 
C € Command ::= skip|X:=E|C1;C2|loop E {C} 


| choose Cı or C2 


Fig. 1. Syntax of the core language. 
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possible to preprocess a program to replace complex data values with their size 
(or “norm”), which is the quantity of importance for loop control. Methods for 
this process have been widely studied in conjunction with termination and cost 
analysis. 


Command Semantics. The core language is inherently non-deterministic. The 
choose command represents a non-deterministic choice, and can be used to 
abstract any concrete conditional command by simply ignoring the condition; 
this is necessary to ensure that our analysis problem is decidable. Note that what 
we ignore is branches within a loop body and not branches that implement the 
loop control, which we represent by a dedicated loop command. The command 
loop E {C} repeats C a (non-deterministic) number of times bounded by the 
value of E, which is evaluated just before the loop is entered. Thus, as a conser- 
vative abstraction, it may be used to model different forms of loops (for-loops, 
while-loops) as long as a bound on the number of iterations, as a function of 
the program state on loop initiation, can be determined and expressed in the 
language. There is an ample body of research on analysing programs to find such 
bounds where they are not explicitly given by the programmer; in particular, 
bounds can be obtained from a ranking function for the loop [2,3,5,6,23]. Note 
that the arithmetic in our language is too restricted to allow for the maintenance 
of counters and the creation of while loops, as there is no subtraction, no explicit 
constants and no tests. Thus, for realistic “concrete” programs which use such 
devices, loop-bound analysis is supposed to be performed on the concrete pro- 
gram as part of the process of abstracting it to the core language. This process 
is illustrated in [9, Sect. 2]. 

From a computability viewpoint, the use of bounded loops restricts the pro- 
grams that can be represented to such that compute primitive recursive func- 
tions; this is a rich enough class to cover a lot of useful algorithms and make the 
analysis problem challenging. In fact, our language resembles a weakened version 
of Meyer and Ritchie’s LOOP language [20], which computes all the primitive 
recursive functions, and where behavioral questions like “is the result linearly 
bounded” are undecidable. 


loop Xı { 
loop X2 + X3 { choose { X3:= Xi; X2:= X4 } or { Xg:= X4; Xo:= Xi F 4; 
X4:= Xo + X3 

}; 


loop X4 { choose { X3:= Xi + Xo + X3 } or { X3:= X2; Xo:= Xi }} 


Fig. 2. A core-language program. loop n C means “do C at most n times.” 


1.2 The Algorithm 


Consider the program in Fig. 2. Suppose that it is started with the values of 
the variables X,,Xo,... being 71, £2,.... Our purpose is to bound the values of 
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all variables at the conclusion of the program in terms of those initial values. 
Indeed, they are all polynomially bounded, and our algorithm provides tight 
bounds. For instance, it establishes that the final value of X; is tightly bounded 
(up to a constant factor) by max(x4(a4 + 27), v4(v2 + £3 + 27)). 

In fact, it produces information in a more precise form, as a disjunction 
of simultaneous bounds. This means that it generates vectors, called multi- 
polynomials, that give simultaneous bounds on all variables; for example, with 
the program in Fig.2, one such multi-polynomial is (#1, 72,73,x4) (this is the 
result of all loops taking a very early exit). This form is important in the con- 
text of a compositional analysis. To see why, suppose that we provide, for a 
command with variables X,Y, the bounds (x,y) and (y, x}. Then we know that 
the sum of their values is always bounded by æ+ y, a result that would have not 
been deduced had we given the bound max(xz,y) on each of the variables. The 
difference may be critical for the success of analyzing an enclosing or subsequent 
command. 

Multivariate bounds are often of interest, and perhaps require no justification, 
but let us point out that multivariate polynomials are necessary even if we’re 
ultimately interested in a univariate bound, in terms of some single initial value, 
say n. This is, again, due to the analysis being compositional. When we analyze 
an internal command that uses variables X, Y,... we do not know in what possible 
contexts the command will be executed and how the values of these variables 
will be related to n. 

Some highlights of our solution are as follows. 


— We reduce the problem of analyzing any core-language program to the prob- 
lem of analyzing a single loop, whose body is already processed, and therefore 
presented as a collection of multi-polynomials. This is typical of algorithms 
that analyze a structured imperative language and do so compositionally. 

— Since we are computing bounds only up to a constant factor, we work with 
abstract polynomials, that have no numeric coefficients. 

— We further introduce r-polynomials, to describe the evolution of values in a 
loop. These have an additional parameter 7 (for “time”; more precisely, num- 
ber of iterations). Introducing t-polynomials was a key step in the solution. 

— The analysis of a loop is simply a closure computation under two operations: 
ordinary composition, and generalization which is the operation that predicts 
the evolution of values by judiciously adding 7’s to idempotent abstract multi- 
polynomials. 


The remainder of this paper is structured as follows. In Sect. 2 we give some 
definitions and state our main result. In Sects. 3, 4 and 5 we present our algo- 
rithm. In Sect.6, we outline the correctness proofs. Section 7 considers related 
work, and Sect. 8 concludes and discusses ideas for further work. 


2 Preliminaries 


In this section, we give some basic definitions, complete the presentation of our 
programming language and precisely state the main result. 
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2.1 Some Notation and Terminology 


The Language. We remark that in our language syntax there is no special form 
for a “program unit”; in the text we sometimes use “program” for the subject 
of our analysis, yet syntactically it’s just a command. 


Polynomials and Multi-polynomials. We work throughout this article with multi- 
variate polynomials in 71,...,2, that have non-negative integer coefficients and 
no variables other than x1,...,%,; when we speak of a polynomial we always 
mean one of this kind. Note that over the non-negative integers, such polynomials 
are monotonically (weakly) increasing in all variables. 

The post-fix substitution operator [a/b] may be applied to any sort of expres- 
sion containing a variable b, to substitute a instead; e.g., (x? + yx + y)[2z/y] = 
x? + 2z + 2Qz. 

When discussing a command, state-transition, or program trace, with a vari- 
able X;, x; will denote, as a rule, the initial value of this variable, and g; its 
final value. Thus we distinguish the syntactic entity by the typewriter font. We 
write the polynomials manipulated by our algorithms using the variable names 
xi. We presume that an implementation of the algorithm represents polynomials 
concretely so that ordinary operations such as composition can be applied, but 
otherwise we do not concern ourselves much with representation. 

The parameter n always refers to the number of variables in the subject 
program. The set [n] is {1,...,n}. For a set S an n-tuple over S is a mapping 
from [n] to S. The set of these tuples is denoted by S”. Throughout the paper, 
various natural liftings of operators to collections of objects is tacitly assumed, 
e.g., if S is a set of integers then S$ +1 is the set {s +1 | s € S} and $+ S is 
{s+t|s,t € S}. We use such lifting with sets as well as with tuples. If S is 
ordered, we extend the ordering to S” by comparing tuples element-wise (this 
leads to a partial order, in general, e.g., with natural numbers, (1,3) and (2,2) 
are incomparable). 


Definition 1. A polynomial transition (PT) represents a mapping of an “input” 
state x = (@1,...,%n) to a “result” state x’ = (x4,...,21,) = p(x) where 
p = (p(l],...,p[n]) is an n-tuple of polynomials. Such a p is called a a multi- 
polynomial (MP); we denote by MPol the set of multi-polynomials, where the 
number of variables n is fixed by context. 


Multi-polynomials are used in this work to represent the effect of a command. 
Various operations will be applied to MPs, mostly obvious—in particular, com- 
position (which corresponds to sequential application of the transitions). Note 
that composition of multi-polynomials, qop, is naturally defined since p supplies 
n values for the n variables of q (in other words, they are composed as functions 
in N” — N”). We define Id to be the identity transformation, x’ = x (in MP 
notation: p[i] = z; for i =1,...,n). 
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2.2 Formal Semantics of the Core Language 


The semantics associates with every command C over variables X;,...,X,, a rela- 
tion |c] C N” x N”. In the expression æ|C]y, vector x (respectively y) is the 
store before (after) the execution of C. 

The semantics of skip is the identity. The semantics of an assignment X; : =E 
associates to each store x a new store y obtained by replacing the component x; 
by the value of the expression E when evaluated over store x. This is defined in 
the natural way (details omitted), and is denoted by [E]}x. Composite commands 
are described by the straight-forward equations: 


[[C1; C2] = [C2] © [C1 
[choose Cy or C2] = [c1] U [Ce] | 
[Loop E {C}] = {(æ, y) | 3i < [Ex : ælc]'y} 


where [C]‘ represents [C] o- - o [C] (i occurrences of [C]); and [c]° = Id. 


Remarks. The following two changes may enhance the applicability of the core 
language for simulating certain concrete programs; we include them as “options” 
because they do not affect the validity of our proofs. 


1. The semantics of an assignment operation may be non-deterministic: X:=E 
assigns to X some non-negative value bounded by E. This is useful to abstract 
expressions which are not in the core language, and also to use the results of 
size analysis of subprograms. Such an analysis may determine invariants such 
as “the value of f (X,Y) is at most the sum of X and Y.” 

2. The domain of the integer variables may be extended to Z. In this case the 
bounds that we seek are on the absolute value of the output in terms of 
absolute values of the inputs. This change does not affect our conclusions 
because of the facts |xy| = |x|- |y| and |x + y| < |z| + |y|. The semantics of 
the loop command may be defined either as doing nothing if the loop bound 
is not positive, or using the absolute value as a bound. 


2.3 Detailed Statement of the Main Result 


The polynomial-bound analysis problem is to find, for any given command, which 
output variables are bounded by a polynomial in the input values (which are 
simply the values of all variables upon commencement of the program), and 
to bound these output values tightly (up to constant factors). The problem of 
identifying the polynomially-bounded variables is completely solved by [7]. We 
rely on that algorithm, which is polynomial-time, to do this for us (as further 
explained below). 
Our main result is thus stated as follows. 


Theorem 1. There is an algorithm which, for a command C, over variables Xı 
through Xn, outputs a set B of multi-polynomials, such that the following hold, 
where PB is the set of indices i of variables X; which are polynomially bounded 
under [c]. 
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1. (Bounding) There is a constant cp associated with each p € B, such that 


Vg, y . x[Cly = > 3p € B.Vi € PB. yi < cppli|(x) 


2. (Tightness) For every p € B there are constants dp > 0, £o such that for all 
x£ > xo there is a y such that 


x|C]y and Vi € PB. yi > dppli](æ). 


3 Analysis Algorithm: First Concepts 


The following sections describe our analysis algorithm. Naturally, the most intri- 
cate part of the analysis concerns loops. In fact we break the description into 
stages: first we reduce the problem of analyzing any program to that of analyzing 
simple disjunctive loops, defined next. Then, we approach the analysis of such 
loops, which is the main effort in this work. 


Definition 2. A simple disjunctive loop (SDL) is a finite set of PTs. 


The loop is “disjunctive” because its meaning is that in every iteration, any 
of the given transitions may be applied. The semantics is formalized by traces 
(Definition 4). A SDL does not specify the number of iterations; our analysis 
generates polynomials which depend on the number of iterations as well as the 
initial state. For this purpose, we now introduce t-polynomials where 7 repre- 
sents the number of iterations. 


Definition 3. 7-polynomials are polynomials in x1,...,% and T. 


T has a special status and does not have a separate component in the polyno- 
mial giving its value. If p is a r-polynomial, then p(v1,..., Un) is the result of 
substituting each v; for the respective x;; and we also write p(v1,...,Un,t) for 
the result of substituting t for 7 as well. The set of 7-polynomials in n variables 
(n known from context) is denoted 7Pol. 

Multi-polynomials and polynomial transitions are formed from T-polynomials 
just as previously defined and are used to represent the effect of a variable number 
of iterations. For example, the 7-polynomial transition (x1, £9) = (£1, £2 + TT1) 
represents the effect of repeating (7 times) the assignment X2:= X2 + X1. The 
effect of iterating the composite command: X2:= Xə + X1; X3:= X3+X has an 
effect described by x’ = (£1, £2 +721, £3 + T£2 +7721) (here we already have 
an upper bound which is not reached precisely, but is correct up to a constant 
factor). We denote the set of 7-polynomial transitions by TMPol. We should 
note that composition qo p over TMPol is performed by substituting p[i] for 
each occurrence of x; in q. Occurrences of 7 are unaffected (since 7 is not part 
of the state). We make a couple of preliminary definitions before reaching our 
goal which is the definition of the simple disjunctive loop problem (Definition 6). 


Definition 4. Let S be a set of polynomial transitions. An (abstract) trace over 
S is a finite sequence pi;..-;Pjo| of elements of S. Thus |o| denotes the length 
of the trace. The set of all traces is denoted S*. We write |o] for the composed 
relation Pjoj © +: -0 pi (for the empty trace, £, we have |e] = Id). 
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Definition 5. Let p(x) be a (concrete or abstract) T-polynomial. We write ù for 
the sum of linear monomials of p, namely any one of the form ax; with constant 
coefficient a. We write p for the rest. Thus p= p + p. 


Definition 6 (Simple disjunctive loop problem). The simple disjunctive 
loop problem is: given the set S, find (if possible) a finite set B of t-polynomial 
transitions which tightly bound all traces over S. More precisely, we require: 


1. (Bounding) There is a constant cp > 0 associated with each p € B, such that 


Va,y,o . xloly => 3p € B.y < cpp(z, lol) 


2. (Tightness) For every p € B there are constants dp > 0, £o such that for all 
x > £o there are a trace o and a state vector y such that 


aloly ^ y > p(@,|o|) + dpp(a, lol) - 


Note that in the lower-bound clause (2), the linear monomials of p are not 
multiplied, in the left-hand side, by the coefficient dp; this sets, in a sense, a 
stricter requirement for them: if the trace maps x to x? then the bound 22? is 
acceptable, but if it maps x to x, the bound 2z is not accepted. The reader may 
understand this technicality by considering the effect of iteration: it is important 
to distinguish the transition x, = zı, which can be iterated ad libitum, from 
the transition x, = 2x1, which produces exponential growth on iteration. Dis- 
tinguishing x = x7 from x, = 2z? is not as important. The result set B above is 
sometimes called a loop summary. We remark that Definition 6 implies that the 
max of all these polynomials provides a “big Theta” bound for the worst-case 
(namely biggest) results of the loop’s computation. We prefer, however, to work 
with sets of polynomials. Another technical remark is that cp, dp range over real 
numbers. However, our data and the coefficients of polynomials remain integers, 
it is only such comparisons that are performed with real numbers (specifically, 
to allow cp to be smaller than one). 


4 Reduction to Simple Disjunctive Loops 


We show how to reduce the problem of analysing core-language programs to the 
analysis of polynomially-bounded simple disjunctive loops. 


4.1 Symbolic Evaluation of Straight-Line Code 


Straight-line code consists of atomic commands—namely assignments (or skip, 
equivalent to X;:=X,), composed sequentially. It is obvious that symbolic eval- 
uation of such code leads to polynomial transitions. 


Example 1. X2:= X13 X4:= X2 + X3; X,:= X2 * Xis precisely represented by 
the transition (x1, £2, £3) = (123, £1, £3, 21 + T3). 
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4.2 Evaluation of Non-deterministic Choice 


Evaluation of the command choose Cı or Cə yields a set of possible outcomes. 
Hence, the result of analyzing a command will be a set of multi-polynomial 
transitions. We express this in the common notation of abstract semantics: 


[c]? € o(MPol). 


For uniformity, we consider [|C]? for an atomic command to be a singleton in 
p(MPo1) (this means that we represent a transition x’ = p(a) by {p}). Compo- 
sition is naturally extended to sets, and the semantics of a choice command is 
now simply set union, so we have: 


[crs c2]? = [co] © [c1]? 
[choose Cı or c2]? = [c° U [ca]]* 


Example 2. X2:= Xi; choose { X4:= X2 + Xa } or { X,:= X2 * Xa } is represe- 
nted by the set { (£1, £1, £3, £1 + L3), (L183, £1, Z3, L4) }. 


4.3 Handling Loops 


The above shows that any loop-free command in our language can be precisely 
represented by a finite set of PTs. Consequently, the problem of analyzing any 
command is reduced to the analysis of simple disjunctive loops. 

Suppose that we have an algorithm SOLVE that takes a simple disjunctive 
loop and computes tight bounds for it (see Definition 6). We use it to complete 
the analysis of any program by the following definition: 


[loop E {C}? = (Sorve(([c]*)[E/7] . 


Thus, the whole solution is constructed as an ordinary abstract interpre- 
tation, following the semantics of the language, except for procedure SOLVE, 
described below. 


Example 3. X4:= Xı; loop X4 { X2:= X1 + Xo; X3:= Xə }. 

The loop includes just one PT. Solving the loop yields a set £ = { (£1, £2, £3, £4), 
(£1, £2 + T1, £2 + T£1, £4) } (the first MP accounts for zero iterations, the sec- 
ond covers any positive number of iterations). We can now compute the effect 
of the given command as 


L|z4/T] o [X4 := x]? = L|x4/T] o { (£1, £2, £3, £1)} 


= { (£1, £2, £3, £1), (1,02 + Uj, £2 + 17, £1) }- 
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The next section describes procedure SOLVE, and operates under the assump- 
tion that all variables are polynomially bounded in the loop. However, a loop 
can generate exponential growth. To cover this eventuality, we first apply the 
algorithm of [7] which identifies which variables are polynomially bounded. If 
some X; is not polynomially bounded we replace the ith component of all the 
loop transitions with £n (where we assume £n to be a dedicated, unmodified 
variable). Clearly, after this change, all variables are polynomially bounded; 
moreover, variables which are genuinely polynomial are unaffected, because they 
cannot depend on a super-exponential quantity (given the restricted arithmetics 
in our language). In reporting the results of the algorithm, we should display 
“super-polynomial” instead of all bounds that depend on zp. 


5 Simple Disjunctive Loop Analysis Algorithm 


Intuitively, evaluating loop E {C} abstractly consists of simulating any finite 
number of iterations, i.e., computing 


Qi = {Id} UPU(PoP)U---UP® (1) 


where P = [C]? € g(MPol). The question now is whether the sequence (1) 
reaches a fixed point. In fact, it often doesn’t. However, it is quite easy to see 
that in the multiplicative fragment of the language, that is, where the addition 
operator is not used, such non-convergence is associated with exponential growth. 
Indeed, since there is no addition, all our polynomials are monomials with a 
leading coefficient of 1 (monic monomials )—this is easy to verify. It follows that 
if the sequence (1) does not converge, higher and higher exponents must appear, 
which indicates that some variable cannot be bounded polynomially. Taking the 
contrapositive, we conclude that if all variables are known to be polynomially 
bounded the sequence will converge. Thus we have the following easy (and not 
so satisfying) result: 


Observation 2. For a SDL that does not use addition, the sequence Q; as in 
(1) reaches a fixed point, and the fixed point provides tight bounds for all the 
polynomially-bounded variables. 


When we have addition, we find that knowing that all variables are polyno- 
mially bounded does not imply convergence of the sequence (1). An example is: 
loop X { X1:= X; + X2 } yielding the infinite sequence of MPs (21, x2, £3), 
(£1 + £2, £2, £3), (£1 + 222, £2, £3), ... Our solution employs two means. One 
is the introduction of 7-polynomials, already presented. The other is a kind of 
abstraction—intuitively, ignoring the concrete values of (non-zero) coefficients. 
Let us first define this abstraction: 


Definition 7. APol, the set of abstract polynomials, consists of formal sums 
of distinct monomials over x1,...,%n, where the coefficient of every mono- 
mial included is 1. We extend the definition to an abstraction of T-polynomials, 
denoted TAPol. 
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The meaning of abstract polynomials is given by the following rules: 


1. The abstraction of a polynomial p, a(p), is obtained by modifying all (non- 
zero) coefficients to 1. 

2. Addition and multiplication in 7APol1 is defined in a natural way so that a(p)+ 
a(q) = a(p + q) and a(p)- a(q) = a(p- q) (to carry these operations out, you 
just go through the motions of adding or multiplying ordinary polynomials, 
ignoring the coefficient values). 

3. The canonical concretization of an abstract polynomial, y(p) is obtained by 

simply regarding it as an ordinary polynomial. 

. These definitions extend naturally to tuples of (abstract) polynomials. 

5. The set of abstract multi-polynomials AMPol and their extension with 7 
(TAMPol) are defined as n-tuples over APol (respectively, TAPol). We use 
AMP as an abbreviation for abstract multi-polynomial. 

6. Composition p èq, for p,q € AMPol (or TAMPo1) is defined as a(7(p) o y(q)); 
it is easy to see that one can perform the calculation without the detour 
through polynomials with coefficients. The different operator symbol (“e” 


Te) 


versus “o”) helps in disambiguating expressions. 


A 


Analysing a SDL. To analyse a SDL specified by a set of MPs S, we start 
by computing a(S). The rest of the algorithm computes within TAMPol. We 
define two operations that are combined in the analysis of loops. The first, which 
we call closure, is simply the fixed point of accumulated iterations as in the 
multiplicative case. It is introduced by the following two definitions. 


Definition 8 (iterated composition). Lett be any abstract T-MP. We define 
t°™, forn > 0, by: 


te® = Id 
tr = tett ™, 
For a set T of abstract T-MPs, we define, for n > 0: 
T°) = {Id} 


Trt) — Ten) y U qep. 
qET, peT*™ 


Note that t°™ = a(y(t)™®), where p™ is defined using ordinary composition. 


Definition 9 (abstract closure). For finite P C TAMPol, we define: 
CUP) =| JP, 
i=0 


In the correctness proof, we argue that when all variables are polynomially 
bounded in a loop S, the closure of a(S) can be computed in finite time; equiva- 
lently, it equals Us o(a(s))2 for some k. The argument is essentially the same 
as in the multiplicative case. 
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The second operation is called generalization and its role is to capture the 
behaviour of accumulator variables, meaning variables that grow by accumulat- 
ing increments in the loop, and make explicit the dependence on the number of 
iterations. The identification of which additive terms in a MP should be consid- 
ered as increments that accumulate is at the heart of our problem, and is greatly 
simplified by concentrating on idempotent AMPs. 


Definition 10. p € TAMPol is called idempotent if pep = p. 


Note that this is composition in the abstract domain. So, for instance, (21, £2) 
is idempotent, and so is (£1 + £2, #2), while (£1£2, £2) and (z1 + £2, £1) are not. 


Definition 11. For p an (abstract) multi-polynomial, we say that x; is self- 
dependent in p if pli] depends on xi. We call a monomial self-dependent if all 
the variables appearing in it are. 


Definition 12. We define a notational convention for T-MPs. Assuming that 
pli] depends on xi, we write 


wy 


pli] = x; + pli)’ + pli)” + pli”, 


where pļi]” includes all the non-self-dependent monomials of pli], while the self- 


dependent monomials (other than x;) are grouped into two sums: Tpii]’, including 
all monomials with a positive degree of T, and pli] which includes all the r-free 
monomials. 


Example 4. Let p = (£1 + T£2 +723 +4324, £3, £3, £4). The self-dependent 
variables are all but x2. Since xı is self-dependent, we will apply the above 
definition to p[1], so that p[1]’ = x3, p[1]” = v3x4 and p{1]/” = ra. Note that 
a factor of 7 is stripped in p[1]’. Had the monomial been 7723, we would have 
pil] = 723. 


Definition 13 (generalization). Let p be idempotent in TAMPol1; define p7 by 


ne f + Tpit]! + rpli]” + pli)” if pli] depends on x; 


pli] otherwise. 
Note that the arithmetic here is abstract (see examples below). Note also that 
in the term rpļi]’ the 7 is already present in p, while in rpļi]” it is added to 
existing monomials. In this definition, the monomials of p[i] are treated like 


those of rp[i]’; however, in certain steps of the proofs we treat them differently, 
which is why the notation separates them. 


Example 5. Let p = (x1 + £3, £2 + £3 +24, T3, T3). 


Note that pep = p. We have p7 = (£1 + T£3, £2 +T£3 + £4, T3, £3). 


92 A. M. Ben-Amram and G. W. Hamilton 


Example 6. Let p = (£1 + T£2 + 743 + 72324, U3, 3, T4). 
Note that pep = p. The self-dependent variables are all but xo. 


We have p7 = (41 + 7H. + 7434+ 74324, £3, £3, £4) = P. 


Finally we can present the analysis of the loop command. 


Algorithm SOLVE(S) 
Input: S, a polynomially-bounded disjunctive simple loop 
Output: a set of 7-MPs which tightly approximates the effect of all S-traces. 


1. Set T = a(S). 
2. Repeat the following steps until T remains fixed: 
(a) Closure: Set T to Cl(T). 
(b) Generalization: For all p € T such that pep = p, add p’ to T. 


Example 7. loop X { X1:= Xı + X2; X2:= X2 + X3; X4:= X3 } 
The body of the loop is evaluated symbolically and yields the multi-polynomial: 


P= (£1 + T2, £2 + T3, T3, T3) 
Now, computing within AMPol, 
a(p)* = a(p)ea(p) = (£1 + £2 + £3, £2 +23, £3, T3); 
= alp) ®. 
Here the closure computation stops. Since a(p*)) is idempotent, we compute 
q= (a(p)*)" = (£1 + T2 +TT3, T2 +TT3, T3, £3) 


and applying closure again, we obtain some additional results: 


qea(p) = (£1 + £2 + T3 + TL2 +723, £2 + £3 +TT3, £3, £3) 
(q)°® = (£1 + 7%,+723+7723, L2 +TT3, £3, T3) 
(q)*?) ea(p) = (£1 + £2 + £3 + T£2 + TL3 +T’°T3, T2+23+723, £3, T3) 


The last element is idempotent but applying generalization does not generate 
anything new. Thus the algorithm ends. The reader may reconsider the source 
code to verify that we have indeed obtained tight bounds for the loop. 


6 Correctness 


We claim that our algorithm obtains a description of the worst-case results of 
the program that is precise up to constant factors. That is, we claim that the set 
of MPs returned provides an upper bound (on all executions) which is also tight; 
tightness means that every MP returned is also a lower bound (up to a constant 
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factor) on an infinite sequence of possible executions. Unfortunately, due to space 
constraints, we are not able to give full details of the proofs here; however, we 
give the main highlights. Intuitively, what we want to prove is that the multi- 
polynomials we compute cover all “behaviors” of the loop. More precisely, in the 
upper-bound part of the proof we want to cover all behaviors: upper-bounding 
is a universal statement. To prove that bounds are tight, we show that each such 
bound constitutes a lower bound on a certain “worst-case behavior”: tightness 
is an existential statement. The main aspects of these proofs are as follows: 


— A key notion in our proofs is that of realizability. Intuitively, when we come 
up with a bound, we want to show that there are traces that achieve (realize) 
this bound for arbitrarily large input values. 

— In the lower-bound proof, we describe a “behavior” by a pattern. A pat- 
tern is constructed like a regular expression with concatenation and Kleene- 
star. However, they allow no nested iteration constructs, and the starred 
sub-expressions have to be repeated the same number of times; for example, 
the pattern p*q* generates the traces {p'q’, t > 0}. The proof constructs a 
pattern for every multi-polynomial computed, showing it is realizable. It is 
interesting that such simple patterns suffice to establish tight lower bounds 
for all our programs. 

— In the upper-bound proof, we describe all “behaviors” by a finite set of well- 
typed regular expressions [10]. This elegant tool channels the power of the 
Factorization Forest Theorem [25]; this brings out the role of idempotent 
elements, which is key in our algorithm. 

— Interestingly, the lower-bound proof not only justifies the tightness of our 
upper bounds, it also justifies the termination of the algorithm and the appli- 
cation of the Factorization Forest Theorem in the upper-bound proof, because 
it shows that our abstract multi-polynomials generate a finite monoid. 


7 Related Work 


Bound analysis, in the sense of finding symbolic bounds for data values, iteration 
bounds and related quantities, is a classic field of program analysis [18, 24,27]. 
It is also an area of active research, with tools being currently (or recently) 
developed including COSTA [1], APROVE [13], C1AoPP [19], C*B [11], Loo- 
Pus [26]—all for imperative programs. There is also work on functional and 
logic programs, term rewriting systems, recurrence relations, etc. which we can- 
not attempt to survey here. In the rest of this section we survey work which is 
more directly related to ours, and has even inspired it. 

The LOOP language is due to Meyer and Ritchie [20], who note that it com- 
putes only primitive recursive functions, but complexity can rise very fast, even 
for programs with nesting-depth 2. Subsequent work [15—-17,22] concerning sim- 
ilar languages attempted to analyze such programs more precisely; most of them 
proposed syntactic criteria, or analysis algorithms, that are sufficient for ensuring 
that the program lies in a desired class (often, polynomial-time programs), but 
are not both necessary and sufficient: thus, they do not prove decidability (the 
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exception is [17] which has a decidability result for a weak “core” language). The 
core language we use in this paper is from Ben-Amram et al. [7], who observed 
that by introducing weak bounded loops instead of concrete loop commands 
and non-deterministic branching instead of “if”, we have weakened the seman- 
tics just enough to obtain decidability of polynomial growth-rate. Justifying the 
necessity of these relaxations, [8] showed undecidability for a language that can 
only do addition and definite loops (that cannot exit early). 

In the vast literature on bound analysis in various forms, there are a few 
other works that give a complete solution for a weak language. Size-change pro- 
grams are considered by [12,28]. Size-change programs abstract away nearly 
everything in the program, leaving a control-flow graph annotated with asser- 
tions about variables which decrease (or do not increase) in a transition. Thus, it 
does not assume structured and explicit loops, and it cannot express information 
about values which increase. Both works yield tight bounds on the number of 
transitions until termination. 

Dealing with a somewhat different problem, [14,21] both check, or find, 
invariants in the form of polynomial equations. We find it remarkable that 
they give complete solutions for weak languages, where the weakness lies in 
the non-deterministic control-flow, as in our language. If one could give a com- 
plete solution for polynomial inequalities, this would have implied a solution to 
our problem as well. 


8 Conclusion and Further Work 


We have solved an open problem in the area of analyzing programs in a simple 
language with bounded loops. For our language, it has been previously shown 
that it is possible to decide whether a variable’s value, number of steps in the 
program, etc. are polynomially bounded or not. Now, we have an algorithm that 
computes tight polynomial bounds on the final values of variables in terms of 
initial values. The bounds are tight up to constant factors (suitable constants are 
also computable). This result improves our understanding of what is computable 
by, and about, programs of this form. An interesting corollary of our algorithm 
is that as long as variables are polynomially bounded, their worst-case bounds are 
described tightly by (multivariate) polynomials. This is, of course, not true for 
common Turing-complete languages. Another interesting corollary of the proofs 
is the definition of a simple class of patterns that suffice to realize the worst-case 
behaviors. This will appear in a planned extended version of this paper. 

There are a number of possible directions for further work. We would like to 
look for decidability results for richer (yet, obviously, sub-recursive) languages. 
Some possible language extensions include deterministic loops, variable resets 
(cf. [4]), explicit constants, and procedures. The inclusion of explicit constants 
is a particularly challenging open problem. 

Rather than extending the language, we could extend the range of bounds 
that we can compute. In light of the results in [17], it seems plausible that 
the approach can be extended to classify the Grzegorczyk-degree of the growth 
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rate of variables when they are super-polynomial. There may also be room for 
progress regarding precise bounds of the form 2?°. 


In terms of time complexity, our algorithm is polynomial in the size of the 


program times n”¢, where d is the highest degree of any MP computed. Such 
exponential behavior is to be expected, since a program can be easily written 
to compute a multivariate polynomial that is exponentially long to write. But 
there is still room for finer investigation of this issue. 
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Abstract. We present a sound and complete bisimilarity for an untyped 
A-calculus with higher-order local references. Our relation compares val- 
ues by applying them to a fresh variable, like normal-form bisimilarity, and 
it uses environments to account for the evolving store. We achieve com- 
pleteness by a careful treatment of evaluation contexts comprising open 
stuck terms. This work improves over Støvring and Lassen’s incomplete 
environment-based normal-form bisimilarity for the Ap-calculus, and con- 
firms, in relatively elementary terms, Jaber and Tabareau’s result, that 
the state construct is discriminative enough to be characterized with a 
bisimilarity without any quantification over testing arguments. 


1 Introduction 


Two terms are contextually equivalent if replacing one by the other in a big- 
ger program does not change the behavior of the program. The quantification 
over program contexts makes contextual equivalence hard to use in practice and 
it is therefore common to look for more effective characterizations of this rela- 
tion. In a calculus with local state, such a characterization has been achieved 
either through logical relations [1,5,15], which rely on types, denotational models 
(6, 10,13], or coinductively defined bisimilarities [9,12, 17-19]. 

Koutavas et al. [8] argue that to be sound w.r.t. contextual equivalence, a 
bisimilarity for state should accumulate the tested terms in an environment to 
be able to try them again as the store evolves. Such environmental bisimilarities 
usually compare terms by applying them to arguments built from the environ- 
ment [12,17,19], and therefore still rely on some universal quantification over 
testing arguments. An exception is Støvring and Lassen’s bisimilarity [18], which 
compares terms by applying them to a fresh variable, like one would do with a 
normal-form (or open) bisimilarity [11,16]. Their bisimilarity characterizes con- 
textual equivalence in a calculus with control and state, but is not complete in a 
calculus with state only: there exist equivalent terms that are not related by the 
bisimilarity. Jaber and Tabareau [6] go further and propose a sound and complete 
Kripke Open Bisimilarity for a calculus with local state, which also compares 
terms by applying them to a fresh variable, but uses notions from Kripke logical 
relations, namely transition systems of invariants, to reason about heaps. 


© The Author(s) 2019 
M. Bojariczyk and A. Simpson (Eds.): FOSSACS 2019, LNCS 11425, pp. 98-114, 2019. 
https: //doi.org/10.1007/978-3-030-17127-8_6 
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In this paper, we propose a sound and complete normal-form bisimilarity 
for a call-by-value A-calculus with local references which relies on environments 
to handle heaps. We therefore improve over Støvring and Lassen’s work, since 
our relation is complete, by following a different, potentially simpler, path than 
Jaber and Tabareau, since we use environments to represent possible worlds and 
do not rely on any external structures such as transition systems of invariants. 
Moreover, we do not need types and define our relation in an untyped calculus. 

We obtain completeness by treating carefully normal forms that are not val- 
ues, i.e., open stuck terms of the form E|x v]. First, we distinguish in the envi- 
ronment the terms which should be tested multiple times from the ones that 
should be run only once, namely the evaluation contexts like E in the above 
term. The latter are kept in a separate environment that takes the form of a 
stack, according to the idea presented by Laird [10] and by Jagadeesan et al. [7]. 
Second, we relate the so-called deferred diverging terms [5,6], i.e., open stuck 
terms which hide a diverging behavior in the evaluation context FE, with the 
regular diverging terms. 

It may be worth stressing that our congruence proof is based on the machin- 
ery we have developed before [3] and is simpler than Støvring and Lassen’s one, 
in particular in how it accounts for the extensionality of functions. 

We believe that this work makes a contribution to the understanding of how 
one should adjust the normal-form bisimulation proof principle when the calculus 
under consideration becomes less discriminative, assuming that one wishes to 
preserve completeness of the theory. In particular, it is quite straightforward 
to define a complete normal-form bisimilarity for the A-calculus with first-class 
continuations and global store, with no need to refer to other notions than the 
ones already present in the reduction semantics. Similarly, in the Ayp-calculus 
(continuations and local references), one only needs to introduce environments to 
ensure soundness of the theory, but essentially nothing more is required to obtain 
completeness [18]. In this article we show which new ingredients are needed 
when moving from these two highly expressive calculi to the corresponding, 
less discriminative ones—with global or local references only—that do not offer 
access to the current continuation. 

The rest of this paper is as follows. In Sect. 2, we study a simple calculus with 
global store to see how to reach completeness in that case. In particular, we show 
in Sect. 2.2 how we deal with deferred diverging terms. We remind in Sect. 2.3 
the notion of diacritical progress [3] and the framework our bisimilarity and its 
proof of soundness are based upon. We sketch the completeness proof in Sect. 2.4. 
Section 2 paves the way for the main result of the paper, described in Sect. 3, 
where we turn to the calculus with local store. We define the bisimilarity in 
Sect. 3.2, prove its soundness and completeness in Sect. 3.3, and use it in Sect. 3.4 
on examples taken from the literature. We conclude in Sect. 4, where we discuss 
related work and in particular compare our work to Jaber and Tabareau’s. A 
companion report expands on the proofs [4]. 
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2 Global Store 


We first consider a calculus where terms share a global store and present how 
we deal with deferred diverging terms to get a complete bisimilarity. 


2.1 Syntax, Semantics, and Contextual Equivalence 


We extend the call-by-value A-calculus with the ability to read and write a global 
memory. We let x, y, ... range over term variables and l range over references. A 
store, denoted by h, g, is a finite map from references to values; we write dom(h) 
for the domain of h, i.e., the set of references on which h is defined. We write Ø for 
the empty store, h W g for the union of two stores, assuming dom(h)Ndom(g) = 9. 
The syntax of terms and contexts is defined as follows. 


Terms: tsn=vu|tt|l:=tt| 
Values: v, w::=x | Ax.t 
Evaluation contexts: E, F:=0]|Et]|vE]|l:= E;t 


The term l := t;s evaluates t (if possible) and stores the resulting value in l 
before continuing as s, while !J reads the value kept in l. When writing examples 
and in the completeness proofs, we use natural numbers, booleans, the condi- 
tional if ... then ... else ..., local definitions let... in . . ., sequence ;, and unit () 
assuming the usual call-by-value encodings for these constructs. 

A -abstraction Ax.t binds x in t; we write fv(t) (respectively fv(£)) for the 
set of free variables of t (respectively Æ). We identify terms up to a-conversion 
of their bound variables. A variable or reference is fresh if it does not occur in 
any other entities under consideration, and a store is fresh if it maps references 
to pairwise distinct fresh variables. A term or context is closed if it has no free 
variables. We write fr(t) for the set of references that occur in t. 

The call-by-value semantics of the calculus is defined on configurations (h | t) 
such that fr(t) C dom(h) and for all 1 € dom(h), fr(h(i)) C dom(h). We let c 
and d range over configurations. We write t{v/x} for the usual capture-avoiding 
substitution of x by v in t, and we let f range over simultaneous substitutions 
{v1 /t1}...{Un/an}. We write h[l := v] for the operation updating the value of 
l to v. The reduction semantics — is defined by the following rules. 


(h | (Aw.t) v) > (h | t{v/a}) (h | 1) > (h | RD) 
(h | 1:= v; t) > (All := v] | t) (h| EH) > (g | Els) if (h | t) > (g | 8) 


The well-formedness condition on configurations ensures that a read operation 
IZ cannot fail. We write —* for the reflexive and transitive closure of —. 

A term t of a configuration (h | t) which cannot reduce further is called a 
normal form. Normal forms are either values or open-stuck terms of the form 
E|x v]; closed normal forms can only be A-abstractions. A configuration ter- 
minates, written c |} if it reduces to a normal-form configuration; otherwise it 


diverges, written c ft, like configurations running 2 = (Ax.x x) (Ax.x x). 
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Contextual equivalence equates terms behaving the same in all contexts. A 
substitution { closes a term t if tf is closed; it closes a configuration (h | t) if it 
closes t and the values in A. 


Definition 1. t and s are contextually equivalent, written t = s, if for all con- 
texts E, fresh stores h, and closing substitutions f, (h | E[t])f 4 iff (h | E[s])f 4}. 


Testing only evaluation contexts is not a restriction, as it implies the equivalence 
w.r.t. all contexts =ç: one can show that t =o s iff Az.t =c Ax.s iff Ax.t = Azx.s. 


2.2 Normal-Form Bisimulation 


Informal Presentation. Two open terms are normal-form bisimilar if their normal 
forms can be decomposed into bisimilar subterms. For example in the plain 
A-calculus, a stuck term E[z v] is bisimilar to t if t reduces to a stuck term 
F|xw] so that respectively E, F and v, w are bisimilar when they are respectively 
plugged with and applied to a fresh variable. 

Such a requirement is too discriminating for many languages, as it distin- 


guishes terms that should be equivalent. For instance in plain à-calculus, given 


a closed value v, t Tf + v is not normal form bisimilar to s “ (Ay.x v) (x v). 


Indeed, O is not bisimilar to (Ay. v) O when plugged with a fresh z: the for- 
mer produces a value z while the latter reduces to a stuck term x v. However, t 
and s are contextually equivalent, as for all closed value w, t{w/x} and s{w/ax} 
behave like w v: if w v diverges, then they both diverges, and if w v evaluates 
to some value w’, then they also evaluates to w’. Similarly, x v 2 and Q are 
not normal-form bisimilar (one is a stuck term while the other is diverging), but 
they are contextually equivalent by the same reasoning. 

The terms ¢ and s are no longer contextually equivalent in a A-calculus with 
store, since a function can count how many times it is applied and change its 
behavior accordingly. More precisely, t and s are distinguished by the context 
l := 0; (Av.0) Az. :=!1 + 1; if l = 1 then 0 else 2. But this counting trick is not 
enough to discriminate x v 2 and 92, as they are still equivalent in a A-calculus 
with store. Although z v 22 is a normal form, it is in fact always diverging when 
we replace x by an arbitrary closed value w, either because w v itself diverges, 
or it evaluates to some w’ and then w’ R diverges. A stuck term which hides a 
diverging behavior has been called deferred diverging in the literature [5,6]. 

It turns out that being able to relate a diverging term to a deferred diverging 
term is all we need to change from the plain A-calculus normal-form bisimilarity 
to get a complete equivalence when we add global store. We do so by distinguish- 
ing two cases in the clause for open-stuck terms: a configuration (h | E[ax v]) is 
related to c either if c can reduce to a stuck configuration with related subterms, 
or if E is a diverging context, and we do not require anything of c. The result- 
ing simulation is not symmetric as it relates a deferred diverging configuration 
with any configuration c (even converging one), but the corresponding notion 
of bisimulation equates such configuration only to either a configuration of the 
same kind or a diverging configuration such as (A | (2). 
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Progress. We define simulation using the notion of diacritical progress we devel- 
oped in a previous work [2,3], which distinguishes between active and passive 
clauses. Roughly, passive clauses are between simulation states which should be 
considered equal, while active clauses are between states where actual progress 
is taking place. This distinction does not change the notions of bisimulation or 
bisimilarity, but it simplifies the soundness proof of the bisimilarity. It also allows 
for the definition of powerful up-to techniques, relations that are easier to use 
than bisimulations but still imply bisimilarity. For normal-form bisimilarity, our 
framework enables up-to techniques which respects 7-expansion [3]. 

Progress is defined between objects called candidate relations, denoted by 
R, S, T. A candidate relation R contains pairs of configurations, and a set 
of configurations written RT, which we expect to be composed of diverging or 
deferred diverging configurations (for such relations we take R~!T to be RT). We 
extend R to stores, terms, values, and contexts with the following definitions. 


dom(h) =dom(g) VL A(1) RY g(l) (h|t)R(h|s) h fresh 
hR” g tR' s 


vaR'wa exfresh Elz] Rt Fla] xfresh (h| Eler] ERT 2,h fresh 
v RY w ERS F EERS 


We use these extensions to define progress as follows. 


Definition 2. A candidate relation R progresses to S, T written R — S,T, if 
RCS, SCT, and 


1. cR d implies 
- ifc —> c, then d —>* d ande Td; 
- if c= (h | v), then d —* (g | w), h S" g, and v SY w; 
- ifc = (h | E[x vl}, then either 
e d—* (g | Fx wl), h T” g, ET F, and v T“ w, or 
e EETTS. 
2. cERT implies c Æ (h | v) for all h and v and 
- ife— cd, then d ETT; 
- if c= (h | E[x vl}, then EETTS. 


A normal-form simulation is a candidate relation R such that R = R, R, and 
a bisimulation is a candidate relation R such that R and RI are simulations. 
Normal-form bisimilarity ~ is the union of all normal-form bisimulations. 


We test values and contexts by applying or plugging them with a fresh variable z, 
and running them in a fresh store; with a global memory, the value represented 
by x may access any reference and assign it an arbitrary value, hence the need 
for a fresh store. The stores of two bisimilar value configurations must have the 
same domain, as it would be easy to distinguish them otherwise by testing the 
content of the references that would be in one store but not in the other. 

The main novelty compared to usual definitions of normal-form bisimilar- 
ity [3,11] is the set of (deferred) diverging configurations used in the stuck terms 
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clause. We detect that E in a configuration (h | E|av]) is (deferred) diverging by 
running (h’ | E[y]) where y and h’ are fresh; this configuration may then diverge 
or evaluate to an other deferred diverging configuration (h | E’[x v]). 

Like in the plain A-calculus [3], R progresses towards S in the value clause 
and J in the others; the former is passive while the others are active. Our 
framework prevents some up-to techniques from being applied after a passive 
transition. In particular, we want to forbid the application of bisimulation up to 
context as it would be unsound: we could deduce that vz and w= are equivalent 
for all v and w just by building a candidate relation containing v and w. 


Example 1. To prove that (h | xv 2) ~ (h | 2) holds for all v and h, we prove 


that R Zt ((h | av 2),(h | 2)),{(g | y 2) | y,g fresh}} is a bisimulation. 


Indeed, (h | x v Q) is stuck with (g | y R) ERT for fresh y and g, and we have 
(g | y 2) > (g | y 2). Conversely, the transition (h | 2} — (h | 2) is matched 
by (h | xv Q) —>* (h | xv Q) and the resulting terms are in R. 


2.3 Soundness 


In this framework, proving that ~ is sound is a consequence that a form of 
bisimulation up to context is valid, a result which itself may require to prove 
that other up-to techniques are valid. We distinguish the techniques which can 
be used in passive clauses (called strong up-to techniques), from the ones which 
cannot. An up-to technique (resp. strong up-to technique) is a function f such 
that R => R, F(R) (resp. R = F(R), f(R)) implies R C ~. To show that a 
given f is an up-to technique, we rely on a notion of respectfulness, which is 
simpler to prove and gives sufficient conditions for f to be an up-to technique. 

We briefly recall the notions we need from our previous work [2]. We extend C 
and U to functions argument-wise (e.g., (f Ug)(R) = F(R) U g(R)), and given 
a set § of functions, we also write Ẹ for the function defined as U fez f. We 
define f” as Ucn f”. We write id for the identity function on relations, and f 
for fUid. A function f is monotone if R C S implies f(R) C f(S). We write 
Pin (R) for the set of finite subsets of R, and we say f is continuous if it can be 
defined by its image on these finite subsets, i.e., if F(R) C UsePin (r) f(S). The 
up-to techniques we use are defined by inference rules with a finite number of 
premises, so they are trivially continuous. 


Definition 3. A function f evolves to g,h, written f~g,h, if for all R and 
T, R= R,T implies f(R) — g(R),h(T). A function f strongly evolves to g,h, 
written f~,g,h, if for all R, S, and T, R = S,T implies f(R)— g(S), h(T). 


Evolution can be seen as progress for functions on relations. Evolution is more 
restrictive than strong evolution, as it requires R such that R — R,T. 


Definition 4. A set § of continuous functions is respectful if there exists © 
such that © C ¥ and 


- for all f € ©, we have f si or oe, 
- for all f E Ẹ, we haye fers Ro O”, Fo, 
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cRd v R w cERT (h | t) R (g | s) ER‘ F 
{ofa} subst(R) d{w/zy  fufayesubst(Ryt | Ell) plug.(R) (a | Fle) 


(h | t) ERT ca d d—* d cRd 
(h | Elt]) € plug, (R)I cred(R) d 
CERT EERI 
cdiv(R) d (h | E[t]) € plugdiv(R)T 


Fig. 1. Up-to techniques for the calculus with global store 


In words, a function is in a respectful set Ẹ if it evolves towards a combination of 
functions in § after active clauses, and in G after passive ones. When checking 
that f is regular (second case), we can use a regular function at most once after 
a passive clause. The (possibly empty) subset G intuitively represents the strong 
up-to techniques of §. If G; and G2 are subsets of ¥ which verify the conditions 
of the definition, then G6, U G2 also does, so there exists the largest subset of ¥ 
which satisfies the conditions, written strong(%). 


Lemma 1. Let be a respectful set. 


- If f € §, then f is an up-to technique. If f E€ strong(S), then f is a strong 
up-to technique. 
- For all f € §, we have f(x) C wx. 


Showing that f is in a respectful set Ẹ is easier than proving it is an up-to 
technique. Besides, proving that a bisimulation up to context is respectful implies 
that ~ is preserved by contexts thanks to the last property of Lemma 1. 

The up-to techniques for the calculus with global store are given in Fig. 1. 
The techniques subst and plug allow to prove that ~ is preserved by substitution 
and by evaluation contexts. The remaining ones are auxiliary techniques which 
are used in the respectfulness proof: red relies on the fact that the calculus is 
deterministic to relate terms up to reduction steps. The technique div allows to 
relate a diverging configuration to any other configuration, while plugdiv states 
that if E is a diverging context, then (h | E[t]) is a diverging configuration 
for all h and t. We distinguish the technique plug, from plug; to get a more 
fine-grained classification, as plug, is the only one which is not strong. 


Lemma 2. The set ¥ E {subst, plug, , red, div, plugdiv | m € {c,T}} is respect- 
ful, with strong(¥) = § \ {plug.}. 


We omit the proof, as it is similar but much simpler than for the calculus with 
local store of Sect. 3. We deduce that ~ is sound using Lemma 1. 


Theorem 1. For allt, s, and fresh store h, if (h | t) ~ (h | s}, then t = s. 
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2.4 Completeness 
We prove the reverse implication by building a bisimulation which contains =. 
Theorem 2. For allt, s, ift = s, then for all fresh stores h, (h | t) ~ (h | s}. 


Proof (Sketch). It suffices to show that the candidate R defined as 


{((h | t); (g | s)) | VE, hg, closing S, (hwhpe | Elt) fl > (whe | Els) S 4} 
U{(h|t) | VE, hg, closing f, (hw hp | Els M 


is a simulation. We proceed by case analysis on the behavior of (h | t). The 
details are in the report [4]; we sketch the proof in the case when (A | t) R (g | s), 
t = E|x v], and E is not deferred diverging. 

A first step is to show that (g | s} also evaluates to an open-stuck configura- 
tion with x in function position. To do so, we consider a fresh | and we define f 
such that f(y) sets lat 1 when it is first applied if y = x, and at 2 if y 4 x. Then 
(hWl:=0 | t)f sets lat 1, which should also be the case of (gwl := 0 | s} f, and 
it is possible only if (g | s} >* (g’ | F[x w]) for some g’, F, and w. 

We then have to show that E RS F, v RY w, and h RP g'. We sketch the 
proof for the contexts, as the proofs for the values and the stores are similar. 
Given hy a fresh store, y a fresh variable, E’ a context, hg a store, f a closing 
substitution, we want (hy he | E’[E|y]])f 4 iff (hy Whe | E'u) S 4. 

Let l be a fresh reference. Assuming dom(h) = {4 .. . ln}, given a term t, we 
write U; l; := h;t for lı := h(li); . . -ln := A(In); t. We define 


dep | 2 Aa.if U = 0 then l := GG := hyp hp; f(y) else f(x) a 
See = i 
z= f(z) ifz#ax 


The substitution fs behaves like f except that when f(x) is applied for the first 
time, it replaces its argument by f(y) and sets the store to hrW hg. Therefore 
(hwl := 0 | E'it) {2 * (hp the wl := 1 | E[Elyl)) se, but this configura- 
tion then behaves like (hy Whg | E'[E[yl])f. Similarly, (gwl := 0 | E’[s]) fe 
evaluates to a configuration equivalent to (hyWhm | E’[Flyl])/, and since 
(hwl := 0 | E'[t]) fe implies (gwl := 0 | E'[s]) fe 4}, we can conclude from 
there. 


3 Local Store 


We adapt the ideas of the previous section to a calculus where terms create their 
own local store. To be able to deal with local resources, the relation we define 
mixes principles from normal-form and environmental bisimilarities. 
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3.1 Syntax, Semantics, and Contextual Equivalence 


In this section, the terms no longer share a global store, but instead must create 
local references before storing values. We extend the syntax of Sect.2 with a 
construct to create a new reference. 


Terms: t,s::=... | newl:=vint 


Reference creation new! := v int binds l in t; we identify terms up to a- 
conversion of their references. We write fr(t) and fr(£) for the set of free refer- 
ences of t or E, and a term or context is reference-closed if its set of free references 
is empty. Following [18] and in contrast with [5,6], references are not values, but 
we can still give access to a reference | by passing Aw.!1 and Aw.l := x; Ay-y. 

As before, the semantics is defined on configurations (h | t) verifying fr(t) C 
dom(h) and for all l € dom(h), fr(h(l)) C dom(h). We add to the rules of Sect. 2 
the following one for reference creation. 


(h | new l:= v in t) > (hwl := v | t) 


We remind that w is defined for disjoint stores only, so the above rule assumes 
that | ¢ dom(h), which is always possible using a-conversion. 

We define contextual equivalence on reference-closed terms as we expect pro- 
grams to allocate their own store. 


Definition 5. Two reference-closed terms t and s are contextually equivalent, 
written t = s, if for all reference-closed evaluation contexts E and closing sub- 


stitutions J, (0 | EEDS X if 0| Els) S 4. 


3.2 Bisimilarity 


With local stores, an external observer no longer has direct access to the stored 
values. In presence of such information hiding, a sound bisimilarity relies on an 
environment to accumulate terms which should be tested in different stores [8]. 
Example 2. Let fi def Arif Yl = true then l := false; true else false and f2 2 
Azx.true. If we compare new l := true in fı and f2 only once in the empty store, 
they would be seen as equivalent as they both return true, however fı modify 
its store, so running fı and f2 a second time distinguishes them. 


Environments generally contain only values [17], except in Aup [18], where 
plugged evaluation contexts are kept in the environment when comparing open- 
stuck configurations. In contrast with Aup, our environment collects values, and 
we use a stack for registering contexts [7,10]. Unlike values, contexts are therefore 
tested only once, following a last-in first-out ordering. The next example shows 
that considering contexts repeatedly would lead to an overly-discriminating 
bisimilarity. For the stack discipline of testing contexts in action see Example 8 
in Sect. 3.4. 


A Complete Normal-Form Bisimilarity for State 107 


Example 3. With the same fı and fz as in Example 2, the terms t df new | := 


true in fı (x Ay.y) and s de f2 (x Ay-y) are contextually equivalent. Roughly, for 
all closing substitution f, t and s either both diverge (if f(x) Ay.y diverges), or 
evaluate to true, since f(x) cannot modify the value in l. Testing fı O and fo 
twice would discriminate them and wrongfully distinguish t and s. 


Remark 1. The bisimilarity for Aup runs evaluation contexts several times and is 
still complete because of the u operator, which, like call/cc, captures evaluation 
contexts, and may then execute them several times. 


We let € range over sets of pairs of values, and € over sets of values. Similarly, 
we write X for a stack of pairs of evaluation contexts and ø for a stack of 
evaluation contexts. We write © for the empty stack, :: for the operator putting 
an element on top of a stack, and + for the concatenation of two stacks. The 
projection operator mı transforms a set or stack of pairs into respectively a set 
or stack of single elements by taking the first element of each pair. A candidate 
relation R can be composed of: 


— quadruples (E, X, c,d), written E, X F c R d, meaning that c and d are related 
under € and X; 

— quadruples (E, X, h, g), written E, X F h R g, meaning that the elements of € 
and the top of X should be related when run with the stores h and g; 

— triples (€,0,c), written e,o F cE RT, meaning that either c is (deferred) 
diverging, or o is non-empty and contains a (deferred) diverging context; 

— triples (€,0,h), written e,o F hE Rf, meaning that ø is non-empty and con- 
tains a (deferred) diverging context. 


Definition 6. A candidate relation R progresses to S, T written R — S,T, if 
RCS,S CT, and 


1. E€,X’ F cRd implies 
-ifeodcd, then d—>* d andE,VtdTd; 
- if c= (h | v), then either 
e d—* (g| w), andEU{(v,w)}, LEAS g, or 
e YAO andmı(E) U {v}, m(L) + hE ST; 
- if c= (h | Elx v}), then either 
e d—* (g | Flaw)), and E U {(v,w)}, (E, F): X Fh Sg, or 
e m(E)U {v}, Eum (X)FheEST. 
2. E,X F hR g implies 
- ifv E w, then E, X F (h| vax) S (g| wx) for a fresh x; 
- if X = (E, F): X', then E, X' - (h | E|x]) S (g | F[z]) for a fresh x. 
3. eo FcecERT implies 
- ifc — d, then eo d ETT; 
- ifc = (h | v}, then o # © and eU {v},o F hESÎ; 
- if c= (h | Elxv)), then ceU {v}, Bz ao FRE Sf. 
4. eo F hERT implies that o +O and 
- ifv E€ €, then e,o H (h| vx) eS} for a fresh x; 
- ifo =E::0', then e,o" F (h | Ela]) E€ ST for a fresh x. 
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A normal-form simulation is a candidate relation R such that R >= R,R, and 
a bisimulation is a candidate relation R such that R and Ro! are simulations. 
Normal-form bisimilarity ~ is the union of all normal-form bisimulations. 


When E, X + c R d, we reduce c until we get a value v or a stuck term Ex v]. 
At that point, either d also reduces to a normal form of the same kind, or we test 
(the first projection of) the stack X for divergence, assuming it is not empty. 
In the former case, we add the values to € and the evaluation contexts at the 
top of X, getting a judgment of the form E’, ©’ + h R g, which then tests the 
environment and the stack by running either terms in E’ or at the top of X”. 


Example 4. We sketch the bisimulation proof for the terms t and s of Example 3. 
Because (@ | t) +* (l := true | fı (x Ay-y)) and (0 | s) = (0 | fo (£ Ay-y)), we need 
to define R such that {(Ay.y, Ay-y)}, (fı O, fo) :: OF l := true R Ø. Testing the 
equal values in the environment is easy with up-to techniques. For the contexts 
on the stack, we need {(Ay.y, Ay-y)},O F (l := true | fir z) R (Ø| fo z) fora 
fresh z. Since (l := true | fı z} >* (l := false | true) and (Ø | fo z) —* (@ | true), 
we need {(Ay.y, Ay.y), (true, true) }, © 1 := false R Ø, which is simple to check. 


Example 5. In contrast, we show that t’ < 


and s & fo (x Ay-y) are not bisimilar. We would need to build R such that 
{(Ay.l := y; y, Ay-y)}, (fı O, fo) :: © F l := true R Ø. Testing the values in the 
environment, we want {(Ay.l := y;y,Ay-y), (z,2)},(f1 0, fo) OF l= zRO 
for a fresh z. Executing the contexts on the stack, we get a stuck term of the 
form if z then l := false; true else false and a value true, which cannot be related, 
because the former is not deferred diverging. 

The terms t’ and s’ are therefore not bisimilar, and they are indeed not 
contextually equivalent, since t’ gives access to its private reference by passing 
Ay.l := y; y to x. The function represented by x can then change the value of l 
to false and break the equivalence. 


new l := true in fy (x Ay.l := y; y) 


The last two cases of the bisimulation definition aim at detecting a deferred 
diverging context. The judgment e,o F hERT roughly means that if o = 
Eņn::... E1::O, then the configuration (h’ | y[...E,[2]]) diverges for all fresh x 
and all h’ obtained by running a term from € with the store h. As a result, when 
eo F hERT, we have two possibilities: either we run a term from € in h to 
potentially change h, or we run the context at the top of ø (which cannot be 
empty in that case) to check if it is diverging. In both cases, we get a judgment 
of the form ¢,a’ cE Rf. In that case, either c diverges and we are done, or it 
terminates, meaning that we have to look for divergence in o’. 


Example 6. We prove that (Ø | xv 2) and (Ø | Q) are bisimilar. We define R 
such that 0,0 (Ø| xv R) R (| 2), for which we need {v}, O2::0 FOERT, 
which itself holds if {v}, © F (| y DERT. 


Finally, only the two clauses where a reduction step takes place are active; all 
the others are passive, because they are simply switching from one judgment to 
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ESFERA vEw x ¢ fv(v) U fv(w) 
E{(v, w)/x}, V{(v, w)/x} + c{v/x} subst.(R) d{w/x} 


E Xi +(E1, Fi) (22, F2) Dg kb (h | t) R (g | s) 
E Xi +(E2[E1], F2[F1]) 23g bk (h | t) ccomp(R) (g | s) 


E, (E, F): 5+ (h| t} R (g| 8) pe dd ESFEËRd 
E, X F (h | Elt}) plug(R) (g | F[s]) E, X F cred(R) d 
e,ak (h| thE RT m(E) =€ ™m1(L') =o E,VEcRd E'CE 
€, DF (h |t) div(R) (g 15) E, SF cweak(R) d 


E, 31+ Lo (h| t) R (g | s) fr(E) C dom(h’) 
E, X, +-(E, E): D2 F (hwh’ |t) refl(R) (guh | s) 


Fig. 2. Selected up-to techniques for the calculus with local store 


the other without any real progress taking place. For example, when comparing 
value configurations, we go from a configuration judgment E, X FeR dtoa 
store judgment E, X F h R g or a diverging store judgment E, X F hE RT. In 
a (diverging) store judgment, we simply decide whether we reduce a term from 
the store of from the stack, going back to a (diverging) configuration judgment. 
Actual progress is made only when we start reducing the chosen configuration. 


3.3 Soundness and Completeness 


We briefly discuss the up-to techniques we need to prove soundness. We write 
E{(v,w)/x} for the environment {(v’{u/x}, w’{w/ax}) | v E w'}, and we also 
define S{(x,w)/x}, e{v/x}, and o{v/x} as expected. To save space, Fig. 2 
presents the up-to techniques for the configuration judgment only; see the 
report [4] for the other judgments. 

As in Sect. 2.3, the techniques subst and plug allow to reason up to substitu- 
tion and plugging into an evaluation context, except that the substituted values 
and plugged contexts must be taken from respectively the environment and the 
top of the stack. The technique div relates a diverging configuration to any con- 
figuration, like in the calculus with global store. The technique ccomp allows to 
merge successive contexts in the stack into one. The weakening technique weak, 
originally known as bisimulation up to environment [17], is an usual technique for 
environmental bisimulations. Making the environment smaller creates a weaker 
judgment, as having less testing terms means a less discriminating candidate 
relation. Bisimulation up to reduction red is also standard and allows for a big- 
step reasoning by ignoring reduction steps. Finally, the technique refl allows to 
introduce identical contexts in the stack, but also values in the environment or 
terms in configurations (see the report [4]). 
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We denote by subst, the up to substitution technique restricted to the con- 
figuration and diverging configuration judgments, and by subst, the restriction 
to the store and diverging store judgments. 


Lemma 3. The set § {subst,,,, plug, ccomp, div, weak, red, refl | m E€ {c,s}} is 
respectful, with strong(¥) = {subst,, ccomp, div, weak, red, refl}. 


In contrast with Sect.2.3 and our previous work [3], subst, is not strong, 
because values are taken from the environment. Indeed, with subst, strong, from 
{(v,w)},OF @ RO, we could derive {(v, w)}, © H (0 | xy) refl(R) (0 | z y) and 
then {(v, w)}, © F (Ø | vz) subst,(refl(R)) (Ø | wax) for any v and w, which would 
be unsound. 

The respectfulness proofs are in the report [4]. Using refl, plug, subst., and 
Lemma 1 we prove that ~ is preserved by evaluation contexts and substitution, 
from which we deduce it is sound w.r.t. contextual equivalence. 


Theorem 3. For allt and s, if 0,0 (0 |t) = (Ø| s), then t= s. 


To establish completeness, we follow the proof of Theorem 2, i.e., we construct 
a candidate relation R that contains = and prove it is a simulation by case 
analysis on the behavior of the related terms. 


Theorem 4. For allt and s, ift = s, then9,0 (0| t = (| 8). 


The main difference is that the contexts and closing substitutions are built from 
the environment using compatible closures [17], to take into account the private 
resources of the related terms. We discuss the proof in the report [4]. 


3.4 Examples 
Example 7. We start by the so-called awkward example [5,6, 15]. Let 


vZ AfL Gf GLSI wt APF OF OL 
We equate new l := 0 in v and w, building the candidate R incrementally, start- 
ing from {(v,w)}, OF lL:=0R f. 


Running v and w with a fresh variable f, we obtain (l := 0 | FE, [f ()]) and 


(0 | E[f Q]) with Fy $ Ol = 1:f QO3! and Fy “Of (); 1. Ignoring the 


identical unit arguments (using refl), we need {(v, w)}, (E1, Fi) s OF 1:=0 RO; 
from that point, we can either test v and w again, resulting into an extra pair 


(£1, Fi) on the stack, or run (l := 0 | Fy [g]) and (Ø | Fi[g]) for a fresh g instead. 


In the latter case, we get (J := 1 | E2[g()]) and (0 | Folg QJ), with Ey & O;1 


and Fy & 1; 1, so we want {(v, w)}, (E2, Fo): OF l := 1 R Ý (ignoring again the 
units). From there, testing v and w produces {(v, w)}, (E1, Fi) :: (E2, Fo) OF 
l := 0 RO, while executing (J := 1 | Fa[z]) and (Ø | Fo[x]) for a fresh x gives us 
(J := 1 | 1) and (Ø | 1). This analysis suggests that R should be composed only 
of judgments of the form {(v,w)}, X F l := n RO such that n € {0,1} and 
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— X is an arbitrary stack composed only of pairs (E1, F1) or (E2, F2); 
— if X = (E2, F2) :: 3”, then n= 1. 


We can check that such a candidate is a bisimulation, and it ensures that when / 
is read (when E> is executed), it contains the value 1. 


Example 8. As a variation on the awkward example, let 


v A\fl:sW tis f Qsl:s-1;>0 w Aff (); true. 


We show that (Ø | new! := linv) and (@ | w) are bisimilar. Let E 2 


Jl :=!1—1; > 0 and F © Ostrue. We write (E,F)” for the stack © 
if n = 0 and (E,F) ::(£,F)"~! otherwise. Then the candidate R verifying 
{(v,w)}, (EF, F)” F l:=n+1 RỌ for any n is a bisimulation. Indeed, running 
v and w increases the value stored in l and adds a pair (E, F) on the stack. If 
n > 0, we can run a copy of E and F, thus decreasing the value in l by 1, and 


then returning true in both cases. 


Example 9. This deferred divergence example comes from Dreyer et al. [5]. Let 
vı © Ax.if I then 2 else k := true; \y.y w = dr. 
vo Š Nf. f visif lk then Q else l := true; Ayy wo AF. f wis Ayy 


We prove that new | := false in new k := false in v2 is equivalent to w2. Infor- 
mally, if f in w2 applies its argument w1, the term diverges. Divergence also 
happens in v2 but in a delayed fashion, as vı first sets k to true, and the continu- 
ation t © if !k then X else | := true; Ay.y then diverges. Similarly, if f stores w 1 
or vı to later apply it, then divergence also occurs in both cases: in that case t 
sets | to true, and when v; is later applied, it diverges. 

To build a candidate R, we execute (l := false; k := false | ve f) and (0 | we f) 
for a fresh f, which gives us (I := false; k := false | E[fvi]) and (0 | F[f wi]) with 
E © Ost and F © O; y.y. We consider {(v2, w2), (v1, w1)}, (E, F) 0 E l := 
false; k := false R Ø, for which we have several checks to do. The interesting one 
is running (l := false; k := false | vı x) and (0 | wı x}, as we get (l := false; k := 
true | Ay.y) and (Ø | 2). In that case, we are showing that the stack contains 
divergence, by establishing that {v2, v1, Ay-y}, E=: 0 F | := false; k := truee Rf, 
and indeed, we have (I := false; k := true | E[a]) —* (l := false; k := true | 2) for 
a fresh x. In the end, the relation R verifying 


{(v2, w2), (v1, w1)}, (E, F)” F l := false; k := false R Ø 

{(v2, w2), (v1, w1)}, (E, F)” H (l := false; k := true | Ay.y) R (0 | 2) 
{v2, v1, Ay-y}, E” F 1 := false; k := trueE RT 
{v2, v1, Ay-y}, E” F (l := false; k := true | 2) ERT 

{(v2, w2), (v1, w1)}, (E, F)” F l := true; k := false R Ø 

{(v2, we), (v1, w1)}, (E, F)” + (l := true; k := false | 2) R (4 | 2) 


for all n is a bisimulation up to refl and red. 
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4 Related Work and Conclusion 


Related Work. As pointed out in Sect. 1, the other bisimilarities defined for state 
either feature universal quantification over testing arguments [9,12,17,19], or are 
complete only for a more expressive language [18]. Kripke logical relations [1,5] 
also involve quantification over arguments when testing terms of a functional 
type. Finally, denotational models [10,13] can also be used to prove program 
equivalence, by showing that the denotations of two terms are equal. However, 
computing such denotations is difficult in general, and the automation of this 
task is so far restricted to a language with first-order references [14]. 

The work most closely related to ours is Jaber and Tabareau’s Kripke Open 
Bisimulation (KOB) [6]. A KOB tests functional terms with fresh variables and 
not with related values like a regular logical relation would do. To relate two 
given configurations, one has to provide a World Transition System (WTS) which 
states the invariants the heaps of the configurations should satisfy and how to go 
from one invariant to the other during the evaluation. Similarly, the bisimulations 
for the examples of Sect. 3.4 state properties which could be seen as invariants 
about the stores at different points of the evaluation. 

The difficulty for KOB as well as with our bisimilarity is to come up with the 
right invariants about the heaps, expressed either as a WTS or as a bisimulation. 
We believe that choosing a technique over the other is just a matter of preference, 
depending on whether one is more comfortable with game semantics or with 
coinduction. It would be interesting to see if there is a formal correspondence 
between KOB and our bisimilarity; we leave this question as a future work. 


Conclusion. We define a sound and complete normal-form bisimilarity for higher- 
order local state, with an environment to be able to run terms in different stores. 
We distinguish in the environment values which should be tested several times 
from the contexts which should be executed only once. The other difficulty is 
to relate deferred and regular diverging terms, which is taken care of by the 
specific judgments about divergence. The lack of quantification over arguments 
make the bisimulation proofs quite simple. 

A future work would be to make these proofs even simpler by defining appro- 
priate up-to techniques. The techniques we use in Sect. 3.3 to prove soundness 
turn out to be not that useful when establishing the equivalences of Sect. 3.4, 
except for trivial ones such as up to reduction or reflexivity. The difficulty in 
defining the candidate relations for the examples of Sect.3.4 is in finding the 
right property relating the stack X to the store, so maybe an up-to technique 
could make this task easier. 

As pointed out in Sect. 1, our results can be seen as an indication of what kind 
of additional infrastructure in a complete normal-form bisimilarity is required 
when the considered syntactic theory becomes less discriminative—in our case, 
when control operators vanish from the picture, and mutable state is the only 
extension of the A-calculus. A question one could then ask is whether we can 
find a less expressive calculus—maybe the plain A-calculus itself—for which a 
suitably enhanced normal-form bisimilarity is still complete. 
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Abstract. We propose a formal model of distributed computing based 
on register automata that captures a broad class of synchronous network 
algorithms. The local memory of each process is represented by a finite- 
state controller and a fixed number of registers, each of which can store 
the unique identifier of some process in the network. To underline the nat- 
uralness of our model, we show that it has the same expressive power as a 
certain extension of first-order logic on graphs whose nodes are equipped 
with a total order. Said extension lets us define new functions on the set 
of nodes by means of a so-called partial fixpoint operator. In spirit, our 
result bears close resemblance to a classical theorem of descriptive com- 
plexity theory that characterizes the complexity class PSPACE in terms of 
partial fixpoint logic (a proper superclass of the logic we consider here). 


1 Introduction 


This paper is part of an ongoing research project aiming to develop a descriptive 
complexity theory for distributed computing. 

In classical sequential computing, descriptive complexity is a well-established 
field that connects computational complexity classes to equi-expressive classes 
of logical formulas. It began in the 1970s, when Fagin showed in [6] that the 
graph properties decidable by nondeterministic Turing machines in polynomial 
time are exactly those definable in existential second-order logic. This provided 
a logical—and thus machine-independent—characterization of the complexity 
class NP. Subsequently, many other popular classes, such as P, PSPACE, and 
EXPTIME were characterized in a similar manner (see for instance the text- 
books [8,12,15]). 

Of particular interest to us is a result due to Abiteboul, Vianu [1], and 
Vardi [19], which states that on structures equipped with a total order rela- 
tion, the properties decidable in PSPACE coincide with those definable in partial 
fixpoint logic. The latter is an extension of first-order logic with an operator that 
allows us to inductively define new relations of arbitrary arity. Basically, this 
means that new relations can occur as free (second-order) variables in the logi- 
cal formulas that define them. Those variables are initially interpreted as empty 
relations and then iteratively updated, using the defining formulas as update 
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rules. If the sequence of updates converges to a fixpoint, then the ultimate inter- 
pretations are the relations reached in the limit. Otherwise, the variables are 
simply interpreted as empty relations. Hence the term “partial fixpoint”. 

While well-developed in the classical case, descriptive complexity has so far 
not received much attention in the setting of distributed network computing. 
As far as the authors are aware, the first step in this direction was taken by 
Hella et al. in [10,11], where they showed that basic modal logic evaluated on 
finite graphs has the same expressive power as a particular class of distributed 
automata operating in constant time. Those automata constitute a weak model 
of distributed computing in arbitrary network topologies, where all nodes syn- 
chronously execute the same finite-state machine and communicate with each 
other by broadcasting messages to their neighbors. Motivated by this result, sev- 
eral variants of distributed automata were investigated by Kuusisto and Reiter 
in [14,18] and [17] to establish similar connections with standard logics such as 
the modal -calculus and monadic second-order logic. However, since the models 
of computation investigated in those works are based on anonymous finite-state 
machines, they are much too weak to solve many of the problems typically 
considered in distributed computing, such as leader election or constructing a 
spanning tree. It would thus be desirable to also characterize stronger models. 

A common assumption underlying many distributed algorithms is that each 
node of the considered network is given a unique identifier. This allows us, for 
instance, to elect a leader by making the nodes broadcast their identifiers and 
then choose the one with the smallest identifier as the leader. To formalize such 
algorithms, we need to go beyond finite-state machines because the number of 
bits required to encode a unique identifier grows logarithmically with the num- 
ber of nodes in the network. Recently, in [2,3], Aiswarya, Bollig and Gastin 
introduced a synchronous model where, in addition to a finite-state controller, 
nodes also have a fixed number of registers in which they can store the identi- 
fiers of other nodes. Access to those registers is rather limited in the sense that 
their contents can be compared with respect to a total order, but their numeric 
values are unknown to the nodes. (This restriction corresponds precisely to the 
notion of order-invariant distributed algorithms, which was introduced by Naor 
and Stockmeyer in [16].) Similarly, register contents can be copied, but no new 
values can be generated. Since the original motivation for the model was to 
automatically verify certain distributed algorithms running on ring networks, 
its formal definition is tailored to that particular setting. However, the underly- 
ing principle can be generalized to arbitrary networks of unbounded maximum 
degree, which was the starting point for the present work. 


Contributions. While on an intuitive level, the idea of finite-state machines 
equipped with additional registers might seem very natural, it does not imme- 
diately yield a formal model for distributed algorithms in arbitrary networks. In 
particular, it is not clear what would be the canonical way for nodes to commu- 
nicate with a non-constant number of peers, if we require that they all follow 
the same, finitely representable set of rules. 
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The model we propose here, dubbed distributed register automata, is an 
attempt at a solution. As in [2,3], nodes proceed in synchronous rounds and 
have a fixed number of registers, which they can compare and update without 
having access to numeric values. The new key ingredient that allows us to for- 
malize communication between nodes of unbounded degree is a local computing 
device we call transition maker. This is a special kind of register machine that the 
nodes can use to scan the states and register values of their entire neighborhood 
in a sequential manner. In every round, each node runs the transition maker to 
update its own local configuration (i.e., its state and register valuation) based 
on a snapshot of the local configurations of its neighbors in the previous round. 
A way of interpreting this is that the nodes communicate by broadcasting their 
local configurations as messages to their neighbors. Although the resulting model 
of computation is by no means universal, it allows formalizing algorithms for a 
wide range of problems, such as constructing a spanning tree (see Example 5) or 
testing whether a graph is Hamiltonian (see Example 6). 

Nevertheless, our model is somewhat arbitrary, since it could be just one par- 
ticular choice among many other similar definitions capturing different classes 
of distributed algorithms. What justifies our choice? This is where descriptive 
complexity comes into play. By identifying a logical formalism that has the same 
expressive power as distributed register automata, we provide substantial evi- 
dence for the naturalness of that model. Our formalism, referred to as functional 
fixpoint logic, is a fragment of the above-mentioned partial fixpoint logic. Like 
the latter, it also extends first-order logic with a partial fixpoint operator, but a 
weaker one that can only define unary functions instead of arbitrary relations. 
We show that on totally ordered graphs, this logic allows one to express precisely 
the properties that can be decided by distributed register automata. The con- 
nection is strongly reminiscent of Abiteboul, Vianu and Vardi’s characterization 
of PSPACE, and thus contributes to the broader objective of extending classical 
descriptive complexity to the setting of distributed computing. Moreover, given 
that logical formulas are often more compact and easier to understand than 
abstract machines (compare Examples 6 and 8), logic could also become a useful 
tool in the formal specification of distributed algorithms. 

The remainder of this paper is structured around our main result: 


Theorem 1. When restricted to finite graphs whose nodes are equipped with a 
total order, distributed register automata are effectively equivalent to functional 
fixpoint logic. 


After giving some preliminary definitions in Sect.2, we formally introduce 
distributed register automata in Sect.3 and functional fixpoint logic in Sect. 4. 
We then sketch the proof of Theorem 1 in Sect. 5, and conclude in Sect. 6. 


2 Preliminaries 


We denote the empty set by Ø, the set of nonnegative integers by N = 
{0,1,2,...}, and the set of integers by Z = {...,—1,0,1,...}. The cardinal- 
ity of any set S is written as |S| and the power set as 2°. 
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In analogy to the commonly used notation for real intervals, we define the 
notation [m:n] = {i €E Z | m <i < n} for any m,n € Z such that m < n. 
To indicate that an endpoint is excluded, we replace the corresponding square 
bracket with a parenthesis, e.g., (m: n] = [m : n] \ {m}. Furthermore, if we omit 
the first endpoint, it defaults to 0. This gives us shorthand notations such as 
[n] := [0:n] and [n) := [0:n) = [0:n — 1]. 

All graphs we consider are finite, simple, undirected, and connected. For 
notational convenience, we identify their nodes with nonnegative integers, which 
also serve as unique identifiers. That is, when we talk about the identifier of a 
node, we mean its numerical representation. A graph is formally represented as a 
pair G = (V, E), where the set V of nodes is equal to [n), for some integer n > 2, 
and the set E consists of undirected edges of the form e = {u,v} C V such that 
u # v. Additionally, Æ must satisfy that every pair of nodes is connected by a 
sequence of edges. The restriction to graphs of size at least two is for technical 
reasons; it ensures that we can always encode Boolean values as nodes. 

We refer the reader to [5] for standard graph theoretic terms such as neighbor, 
degree, maximum degree, distance, and spanning tree. 

Graphs are used to model computer networks, where nodes correspond to pro- 
cesses and edges to communication links. To represent the current configuration 
of a system as a graph, we equip each node with some additional information: 
the current state of the corresponding process, taken from a nonempty finite set 
Q, and some pointers to other processes, modeled by a finite set R of registers. 

We call X = (Q,R) a signature and define a X-configuration as a tuple 
C = (G,q,t), where G = (V, E) is a graph, called the underlying graph of C, 
q: V — Q is a state function that assigns to each node a state q € Q, and 
t: V — V® is a register valuation function that associates with each node a 
register valuation p € V®. The set of all ¥-configurations is denoted by C(X). 
Figure 1 on page 6 illustrates part of a ({q1, q2, ¢3}, {71, r2, r3 })-configuration. 

If R = 9, then we are actually dealing with a tuple (G,q), which we call a 
Q-labeled graph. Accordingly, the elements of Q may also be called labels. A set 
P of labeled graphs will be referred to as a graph property. Moreover, if the labels 
are irrelevant, we set Q equal to the singleton 1 := {£}, where £ is our dummy 
label. In this case, we identify (G,q) with G and call it an unlabeled graph. 


3 Distributed Register Automata 


Many distributed algorithms can be seen as transducers. A leader-election algo- 
rithm, for instance, takes as input a network and outputs the same network, 
but with every process storing the identifier of the unique leader in some ded- 
icated register r. Thus, the algorithm transforms a (1,0)-configuration into 
a (1, {r})-configuration. We say that it defines a (1,0)-(1, {r})-transduction. 
By the same token, if we consider distributed algorithms that decide graph 
properties (e.g., whether a graph is Hamiltonian), then we are dealing with a 
(1,0)-({YEs, No}, @)-transduction, where I is some set of labels. The idea is that 
a graph will be accepted if and only if every process eventually outputs YES. 
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Let us now formalize the notion of transduction. For any two signatures 
X” = (LR) and 3" = (O,R™),.a 3°" -transduction is a partial 
mapping T: C(X") > C(X“*) such that, if defined, T(G,q,t) = (G,q’,v’) 
for some q’ and vr’. That is, a transduction does not modify the underlying 
graph but only the states and register valuations. We denote the set of all 
yim_y7out_transductions by T(7”, X°) and refer to X” and 7°“ as the input 
and output signatures of T. By extension, J and O are called the sets of input and 
output labels, and Rt? and R°“ the sets of input and output registers. Similarly, 
any ¥""-configuration C can be referred to as an input configuration of T and 
T(C) as an output configuration. 

Next, we introduce our formal model of distributed algorithms. 


Definition 2 (Distributed register automaton). Let X” = (I,R') and 
yout = (O, R*) be two signatures. A distributed register automaton (or sim- 
ply automaton) with input signature ©” and output signature X°% is a tuple 
A= (Q,R,t, A, H,0) consisting of a nonempty finite set Q of states, a finite set 
R of registers that includes both R™ and R°“, an input function 1: I > Q, a 
transition maker A whose specification will be given in Definition 8 below, a set 
H C Q of halting states, and an output function o: H — O. The registers in 
R\ (R®” U R°) are called auxiliary registers. 


Automaton A computes a transduction T4 € T(X”, 1°“). To do so, it runs 
in a sequence of synchronous rounds on the input configuration’s underlying 
graph G = (V,£). After each round, the automaton’s global configuration is a 
(Q, R)-configuration C = (G,q,t), i.e., the underlying graph is always G. As 
mentioned before, for a node v € V, we interpret q(v) € Q as the current state 
of v and t(v) € VE as the current register valuation of v. Abusing notation, we 
let C(v) := (q(v), t(v)) and say that C(v) is the local configuration of v. In Fig. 1, 
the local configuration node 17 is (q1, {71,172,173 > 17, 34, 98}). 

For a given input configuration C = (G,q,t) € C(X"), the automaton’s 
initial configuration is C” = (G, ¿o q, t’), where for all v € V, we have t/(v)(r) = 
t(v)(r) if r € R”, and v’(v)(r) = v if r € R\ R”. This means that every node 
v is initialized to state 1(q(v)), and v’s initial register valuation t’(v) assigns v’s 
own identifier (provided by G) to all non-input registers while keeping the given 
values assigned by t(v) to the input registers. 

Each subsequent configuration is obtained by running the transition maker A 
synchronously on all nodes. As we will see, A computes a function 


[A]: (Qx VET > QxVE 


that maps from nonempty sequences of local configurations to local configura- 
tions. This allows the automaton A to transition from a given configuration C 
to the next configuration C” as follows. For every node u € V of degree d, we 
consider the list v1, ... Uq of u’s neighbors sorted in ascending (identifier) order, 
i.e., v; < vi+ı for i € [1:d). (See Fig.1 for an example, where u corresponds 
to node 17.) If u is already in a halting state, i.e., if C(u) = (q, p) € H x VĒ, 
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Fig. 1. Part of a configuration, as seen by a single node. Assuming the identifiers of 
the nodes are the values represented in black boxes (i.e., those stored in register 11), 
the automaton at node 17 will update its own local configuration (q1, {r1, r2, r3 > 
17, 34, 98}) by running the transition maker on the sequence consisting of the local 
configurations of nodes 17, 2, 34, and 98 (in that exact order). 


then its local configuration does not change anymore, i.e., C’(u) = C(u). Other- 
wise, we define C’(u) = [A] (C(u), C(v1),...,C(va)), which we may write more 
suggestively as 

[A]: C(u) EE, ofu). 
Intuitively, node u updates its own local configuration by using A to scan a 
snapshot of its neighbors’ local configurations. As the system is synchronous, 
this update procedure is performed simultaneously by all nodes. 

A configuration C = (G, q, vt) is called a halting configuration if all nodes are 
in a halting state, i.e., if q(v) € H for all v € V. We say that A halts if it reaches 
a halting configuration. 

The output configuration produced by a halting configuration C = (G, q, v) 
is the X°”t-configuration C” = (G,o o q, t’), where for all v € V and r € R™, 
we have r'(v)(r) = r(v)(r). In other words, each node v outputs the state o(q(v)) 
and keeps in its output registers the values assigned by t(v). 

It is now obvious that A defines a transduction T4: C(X"") > C(X°*). If A 
receives the input configuration C € C(2”) and eventually halts and produces 
the output configuration C’ € C(X°**), then T4(C) = C’. Otherwise (if A does 
not halt), T4(C) is undefined. 


Deciding graph properties. Our primary objective is to use distributed register 
automata as decision procedures for graph properties. Therefore, we will focus 
on automata A that halt in a finite number of rounds on every input configura- 
tion, and we often restrict to input signatures of the form (7, Ø) and the output 
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signature ({YES, NO}, Ø). For example, for I = {a,b}, we may be interested in the 
set of I-labeled graphs that have exactly one a-labeled node v (the “leader” ). 
We stipulate that A accepts an input configuration C with underlying graph 
G = (V, E) if Ta(C) = (G,q,t) such that q(v) = YES for all v € V. Conversely, 
A rejects C if Ta(C) = (G,q,t) such that q(v) = No for some v € V. This 
corresponds to the usual definition chosen in the emerging field of distributed 
decision [7]. Accordingly, a graph property P is decided by A if the automaton 
accepts all input configurations that satisfy P and rejects all the others. 
It remains to explain how the transition maker A works internally. 


Definition 3 (Transition maker). Suppose that A = (Q, R,ı, A, H,0) is a 
distributed register automaton. Then its transition maker A = (Q, R,i,6 ,0) con- 
sists of a nonempty finite set Q of inner states, a finite set R of inner registers 
that is disjoint from R, an inner initial state ¢ € Q, an inner transition function 
6: Õ x Q x 2BRUR)’ _, © x (RU R)®, and an inner output function 6: Q > 
Qx RF. 


Basically, a transition maker A = (Q, R,i,6, 0) is a sequential reg- 
ister automaton (in the spirit of [13]) that reads a nonempty sequence 
(qo, Po), -- - , (qa, Pa) E (Q x V®)* of local configurations of A in order to produce 
a new local configuration (q’, p’). While reading this sequence, it traverses itself 
a sequence (ĝo, fo),---,(Ga+1; Pa+1) of inner configurations, which each consist 
of an inner state ĝi; € Q and an inner register valuation p; € (VU{L})®, where 
the symbol L represents an undefined value. For the initial inner configuration, 
we set Go = i and õo(ř) = L for all f € R. Now for i € [d], when A is in the 
inner configuration (qj, Ji) and reads the local configuration (qi, pi), it can com- 
pare all values assigned to the inner registers and registers by p; and p; (with 
respect to the order relation on V). In other words, it has access to the binary 
relation <; C (RU R)? such that for 7,5 € R and r,s € R, we have f <x; r if 
and only if p;(7) < pi(r), and analogously for r <; 7, * <; 5, and r <; s. In par- 
ticular, if (F) = L, then f is incomparable with respect to <;. Equipped with 
this relation, A transitions to (fi+1, Pi+1) by evaluating Ô(ĝi, qi <i) = (Gi41, @) 
and computing pj1 such that pj41(7) = pi(S) if a(7) = š, and pi+1(7) = pi(s) 
if (7) = s, where 7,8 € R and s € R. Finally, after having read the entire 
input sequence and reached the inner configuration (Ga+1, Pa+1), the transition 
maker outputs the local configuration (q’,p’) such that 6(qa+1) = (4, B) and 
B(r) =F implies p'(r) = pa+i(7). Here we assume without loss of generality that 
A guarantees that p'(r) # L for all r € R. 


Remark 4. Recall that V = [n) for any graph G = (V, E) with n nodes. How- 
ever, as registers cannot be compared with constants, this actually represents 
an arbitrary assignment of unique, totally ordered identifiers. To determine the 
smallest identifier (i.e., 0), the nodes can run an algorithm such as the following. 


Example 5 (Spanning tree). We present a simple automaton A = (Q, R,., A, 
H,o) with input signature X” = (1,0) and output signature Ye“ = 
(1, {parent, root}) that computes a (breadth-first) spanning tree of its input 
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Algorithm 1. Transition maker of the automaton from Example 5 


if J neighbor nb (nb.root < my.root) : aniat 
ule 
my.state — 1; my.parent — nb.self; my.root — nb.root 
else if my.state = 1 b i EA 
: nb.root = my.roo i 
A cnaehhor ne (nb.parent 4 my.self V nb.state = 2) |: nue? 
my.state — 2 
else if (my.state = 2 A my.root = my.self) V (my.parent.state = 3): Rule 3 
ule 
my.state — 3 


else do nothing 


graph G = (V, E), rooted at the node with the smallest identifier. More pre- 
cisely, in the computed output configuration C = (G,q,t), every node will store 
the identifier of its tree parent in register parent and the identifier of the root 
(i.e., the smallest identifier) in register root. Thus, as a side effect, A also solves 
the leader election problem by electing the root as the leader. 

The automaton operates in three phases, which are represented by the set 
of states Q = {1,2,3}. A node terminates as soon as it reaches the third phase, 
i.e., we set H = {3}. Accordingly, the (trivial) input and output functions are 
l: € m> l and o: 3+ e. In addition to the output registers, each node has an 
auxiliary register self that will always store its own identifier. Thus, we choose 
R = {self , parent, root}. For the sake of simplicity, we describe the transition 
maker A in Algorithm 1 using pseudocode rules. However, it should be clear 
that these rules could be relatively easily implemented according to Definition 3. 

All nodes start in state 1, which represents the tree-construction phase. By 
Rule 1, whenever an active node (i.e., a node in state 1 or 2) sees a neighbor 
whose root register contains a smaller identifier than the node’s own root register, 
it updates its parent and root registers accordingly and switches to state 1. To 
resolve the nondeterminism in Rule 1, we stipulate that nb is chosen to be the 
neighbor with the smallest identifier among those whose root register contains 
the smallest value seen so far. 

As can be easily shown by induction on the number of communication rounds, 
the nodes have to apply Rule 1 no more than diameter(G) times in order for 
the pointers in register parent to represent a valid spanning tree (where the 
root points to itself). However, since the nodes do not know when diameter(G) 
rounds have elapsed, they must also check that the current configuration does 
indeed represent a single tree, as opposed to a forest. They do so by propagating 
a signal, in form of state 2, from the leaves up to the root. 

By Rule 2, if an active node whose neighbors all agree on the same root 
realizes that it is a leaf or that all of its children are in state 2, then it switches to 
state 2 itself. Assuming the parent pointers in the current configuration already 
represent a single tree, Rule 2 ensures that the root will eventually be notified of 
this fact (when all of its children are in state 2). Otherwise, the parent pointers 
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represent a forest, and every tree contains at least one node that has a neighbor 
outside of the tree (as we assume the underlying graph is connected). 
Depending on the input graph, a node can switch arbitrarily often between 
states 1 and 2. Once the spanning tree has been constructed and every node is in 
state 2, the only node that knows this is the root. In order for the algorithm to 
terminate, Rule 3 then makes the root broadcast an acknowledgment message 
down the tree, which causes all nodes to switch to the halting state 3. 


Building on the automaton from Example5, we now give an example of a 
graph property that can be decided in our model of distributed computing. The 
following automaton should be compared to the logical formula presented later 
in Example 8, which is much more compact and much easier to specify. 


Example 6 (Hamiltonian cycle). We describe an automaton with input signa- 
ture ©” = (1, {parent, root}) and output signature X°%t = ({YEs, No}, Ø) that 
decides if the underlying graph G = (V, E) of its input configuration C = (G, q, t) 
is Hamiltonian, i.e., whether G contains a cycle that goes through each node 
exactly once. The automaton works under the assumption that t encodes a valid 
spanning tree of G in the registers parent and root, as constructed by the automa- 
ton from Example 5. Hence, by combining the two automata, we could easily 
construct a third one that decides the graph property of Hamiltonicity. 

The automaton A = (Q, R,ı, A, H,o0) presented here implements a simple 
backtracking algorithm that tries to traverse G along a Hamiltonian cycle. Its set 
of states is Q = ({unvisited , visited, backtrack} x {idle, request, good, bad}) UH, 
with the set of halting states H = {YEs, NO}. Each non-halting state consists 
of two components, the first one serving for the backtracking procedure and the 
second one for communicating in the spanning tree. The input function + initial- 
izes every node to the state (unvisited, idle), while the output function simply 
returns the answers chosen by the nodes, i.e., 0: YES ++ YES, NO e> NO. In addi- 
tion to the input registers, each node has a register self storing its own identifier 
and a register successor to point to its successor in a (partially constructed) 
Hamiltonian path. That is, R = {self , parent, root, successor}. We now describe 
the algorithm in an informal way. It is, in principle, easy to implement in the 
transition maker A, but a thorough formalization would be rather cumbersome. 

In the first round, the root marks itself as visited and updates its successor reg- 
ister to point towards its smallest neighbor (the one with the smallest identifier). 
Similarly, in each subsequent round, any unvisited node that is pointed to by one 
of its neighbors marks itself as visited and points towards its smallest unvisited 
neighbor. However, if all neighbors are already visited, the node instead sends the 
backtrack signal to its predecessor and switches back to unvisited (in the following 
round). Whenever a visited node receives the backtrack signal from its successor, 
it tries to update its successor to the next-smallest unvisited neighbor. If no such 
neighbor exists, it resets its successor pointer to itself, propagates the backtrack 
signal to its predecessor, and becomes unvisited in the following round. 

There is only one exception to the above rules: if a node that is adjacent to 
the root cannot find any unvisited neighbor, it chooses the root as its successor. 
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This way, the constructed path becomes a cycle. In order to check whether 
that cycle is Hamiltonian, the root now broadcast a request down the spanning 
tree. If the request reaches an unvisited node, that node replies by sending the 
message bad towards the root. On the other hand, every visited leaf replies with 
the message good. While bad is always forwarded up to the root, good is only 
forwarded by nodes that receive this message from all of their children. If the 
root receives only good, then it knows that the current cycle is Hamiltonian 
and it switches to the halting state YES. The information is then broadcast 
through the entire graph, so that all nodes eventually accept. Otherwise, the root 
sends the backtrack signal to its predecessor, and the search for a Hamiltonian 
cycle continues. In case there is none (in particular, if there is not even an 
arbitrary cycle), the root will eventually receive the backtrack signal from its 
greatest neighbor, which indicates that all possibilities have been exhausted. If 
this happens, the root switches to the halting state NO, and all other nodes 
eventually do the same. 


4 Functional Fixpoint Logic 


In order to introduce functional fixpoint logic, we first give a definition of first- 
order logic that suits our needs. Formulas will always be evaluated on ordered, 
undirected, connected, I-labeled graphs, where I is a fixed finite set of labels. 

Throughout this paper, let M be an infinite supply of node variables and F be 
an infinite supply of function variables; we refer to them collectively as variables. 
The corresponding set of terms is generated by the grammar t ::= x | f(t), where 
x E€ N and f € F. With this, the set of formulas of first-order logic over I is 
given by the grammar 


gi=(a)t|s<t|set|-y|yVve|azy, 


where s and ¢ are terms, a € J, and x € N. As usual, we may also use the 
additional operators A, >, <=, V to make our formulas more readable, and we 
define the notations s < t, s = t, and s Æ t as abbreviations for =(t < s), 
(s < t) A(t < s), and 7=(s = t), respectively. 

The sets of free variables of a term t and a formula y are denoted by free(t) 
and free(y), respectively. While node variables can be bound by the usual quan- 
tifiers 4 and V, function variables can be bound by a partial fixpoint operator 
that we will introduce below. 

To interpret a formula y on an I-labeled graph (G, q) with G = (V, E), we 
are given a variable assignmento for the variables that occur freely in y. This 
is a partial function o: NMU F — V U VY such that o(x) € V if x is a free node 
variable and o(f) € VV if f is a free function variable. We call a(x) and o(f) the 
interpretations of x and f under g, and denote them by x” and f°, respectively. 
For a composite term t, the corresponding interpretation t7 under ø is defined 
in the obvious way. 

We write (G, q), o H ọ to denote that (G, q) satisfies p under assignment o. 
If y does not contain any free variables, we simply write (G,q) = y and refer 
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to the set P of I-labeled graphs that satisfy y as the graph property defined 
by y. Naturally enough, we say that two devices (i.e., automata or formulas) are 
equivalent if they specify (i.e., decide or define) the same graph property and 
that two classes of devices are equivalent if their members specify the same class 
of graph properties. 

As we assume that the reader is familiar with first-order logic, we only define 
the semantics of the atomic formulas (whose syntax is not completely standard): 


(G,q),o H (a)t if gq(t’)=a (“t has label a”), 
(Gao E s<t iff s< (“s is smaller than t”), 
(Gao Eset if {s’, i} ek (“s and t are adjacent” ). 


We now turn to functional fixpoint logic. Syntactically, it is defined as the 
extension of first-order logic that allows us to write formulas of the form 


fi: 9i(fi,---, fe, IN, OUT) 
pfp b, (x) 
fe: velfi,---, fe, IN, OUT) 


where fi,...,f¢ E€ F, IN,ouT € N, and y,...,y¢,7 are formulas. We 
use the notation “y;(f1,..., fe, IN, OUT)” to emphasize that fi,..., fe, IN, OUT 
may occur freely in y; (possibly among other variables). The free variables 
of formula (x) are given by Uic [free(y;) \ {fi,---, fe, IN, ouT}| U [free(4) \ 
{fi-s hey | 

The idea is that the partial fixpoint operator pfp binds the function variables 
fi,.--, fe. The £ lines in square brackets constitute a system of function defini- 
tions that provide an interpretation of f1,..., fe, using the special node variables 
IN and OUT as helpers to represent input and output values. This is why pfp also 
binds any free occurrences of IN and OUT in ¢,..., pg, but not in w. 

To specify the semantics of (x), we first need to make some preliminary obser- 
vations. As before, we consider a fixed I-labeled graph (G,q) with G = (V, E) 
and assume that we are given a variable assignment o for the free variables 
of (x). With respect to (G,q) and ø, each formula y; induces an operator 
Fp: (VY)! —> VY that takes some interpretation of the function variables 
fi,.--,fe and outputs a new interpretation of fi, corresponding to the func- 
tion graph defined by y; via the node variables IN and OUT. For inputs on which 
pi does not define a functional relationship, the new interpretation of f; behaves 
like the identity function. More formally, given a variable assignment ô that 
extends ø with interpretations of fi,..., fe, the operator Fp, maps Te ceseG 
to the function f7°” such that for all u € V, 


a 


fewu) = v ifvisthe uniquenodeinV s.t. (G, q), &[IN, OUT u,v] H yi, 
u otherwise. 


126 B. Bollig et al. 


Here, G[IN, OUT +> u,v] is the extension of ô interpreting IN as u and OUT as v. 
In this way, the operators Fy,,..., Fy, give rise to an infinite sequence 
(ft,.--,ff)e>0 of tuples of functions, called stages, where the initial stage con- 
tains solely the identity function idy and each subsequent stage is obtained from 
its predecessor by componentwise application of the operators. More formally, 


f? =idy = {fum u|u eV} and SE AP ied, 


for i € (4 and k > 0. Now, since we have not imposed any restrictions on 
the formulas y;, this sequence might never stabilize, i.e, it is possible that 
(ft,..., FE) A (FET... , FFT) for all k > 0. Otherwise, the sequence reaches a 


ee (the number 


(simultaneous) fixpoint at some position k no greater than |V| 
of ¢-tuples of functions on V). 

We define the partial fixpoint (ff°,..., f7°) of the operators Fy,,..., Fy, to 
be the reached fixpoint if it exists, and the tuple of identity functions otherwise. 


That is, for i € (4, 


fo = ff if thereexists k > Osuch that f¥ = ae for allj € (4, 
~ \idy otherwise. 


Having introduced the necessary background, we can finally provide the 
semantics of the formula pfp[fi: Pilie Y presented in (*): 


(G, q), o = pfp[fi: pilie Y iff (G, q), olfi aa JE Jie = y, 


where o[f; > f?°]ie(q is the extension of o that interprets f; as f?°, for i € (4. 
In other words, the formula pfp[fi: pilic(q Y can intuitively be read as 


“if fi,..., fe are interpreted as the partial fixpoint of 1,..., pe, then Y holds”. 


Syntactic Sugar 


Before we consider a concrete formula (in Example 8), we first introduce some 
“syntactic sugar” to make using functional fixpoint logic more pleasant. 


Set variables. According to our definition of functional fixpoint logic, the oper- 
ator pfp can bind only function variables. However, functions can be used to 
encode sets of nodes in a straightforward manner: any set U may be represented 
by a function that maps nodes outside of U to themselves and nodes inside U 
to nodes distinct from themselves. Therefore, we may fix an infinite supply S of 
set variables, and extend the syntax of first-order logic to allow atomic formulas 
of the form t € X, where t is a term and X is a set variable in S. Naturally, the 
semantics is that “t is an element of X”. To bind set variables, we can then write 
partial fixpoint formulas of the form pip[(fi: Piie(qy (Xa: Di)ie(m| w, where 
fi,- fe E F, X1,...,Xm E S, and v1,...,¢¢,01,..-,Um, Y are formulas. The 
stages of the partial fixpoint induction are computed as before, but each set 
variable X; is initialized to Ø, and falls back to Ø in case the sequence of stages 
does not converge to a fixpoint. 
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Quantifiers over functions and sets. Partial fixpoint inductions allow us to iter- 
ate over various interpretations of function and set variables and thus provide 
a way of expressing (second-order) quantification over functions and sets. Since 
we restrict ourselves to graphs whose nodes are totally ordered, we can easily 
define a suitable order of iteration and a corresponding partial fixpoint induction 
that traverses all possible interpretations of a given function or set variable. To 
make this more convenient, we enrich the language of functional fixpoint logic 
with second-order quantifiers, allowing us to write formulas of the form 3f y and 
AX y, where f € F, X € S, and ¢ is a formula. Obviously, the semantics is that 
“there exists a function f, or a set X, respectively, such that y holds”. 

As a consequence, it is possible to express any graph property definable in 
monadic second-order logic, the extension of first-order logic with set quantifiers. 


Corollary 7. When restricted to finite graphs equipped with a total order, func- 
tional fixpoint logic is strictly more expressive than monadic second-order logic. 


The strictness of the inclusion in the above corollary follows from the fact 
that even on totally ordered graphs, Hamiltonicity cannot be defined in monadic 
second-order logic (see, e.g., the proof in [4, Prp. 5.13]). As the following example 
shows, this property is easy to express in functional fixpoint logic. 


Example 8 (Hamiltonian cycle). The following formula of functional fixpoint 
logic defines the graph property of Hamiltonicity. That is, an unlabeled graph G 
satisfies this formula if and only if there exists a cycle in G that goes through 
each node exactly once. 


Va(f(x) £) A Vasy[f(y) = 2 A V2(f(z) =r > z=y)] A 
vx ([3e(2 € X) A Vy(ye X > f(y) € X)| > ww € X)) 


Here, x,y,z EN, X € S, and f € F. Intuitively, we represent a given Hamilto- 
nian cycle by a function f that tells us for each node x, which of x’s neighbors we 
should visit next in order to traverse the entire cycle. Thus, f actually represents 
a directed version of the cycle. 

To ensure the existence of a Hamiltonian cycle, our formula states that there 
is a function f satisfying the following two conditions. By the first line, each 
node xz must have exactly one f-predecessor and one f-successor, both of which 
must be neighbors of x. By the second line, if we start at any node x and collect 
into a set X all the nodes reachable from « (by following the path specified by 
f), then X must contain all nodes. 


5 Translating Between Automata and Logic 


Having introduced both automata and logic, we can proceed to explain the first 
part of Theorem 1 (stated in Sect. 1), i.e., how distributed register automata can 
be translated into functional fixpoint logic. 
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Proposition 9. For every distributed register automaton that decides a graph 
property, we can construct an equivalent formula of functional fixpoint logic. 


Proof (sketch). Given a distributed register automaton A = (Q, R,v, A, H,o) 
deciding a graph property P over label set J, we can construct a formula y4 of 
functional fixpoint logic that defines P. For each state q E€ Q, our formula uses 
a set variable X, to represent the set of nodes of the input graph that are in 
state q. Also, for each register r € R, it uses a function variable f, to represent 
the function that maps each node u to the node v whose identifier is stored 
in u’s register r. By means of a partial fixpoint operator, we enforce that on any 
I-labeled graph (G, q), the final interpretations of (Xq)qeq and (fr)rer represent 
the halting configuration reached by A on (G,q). The main formula is simply 


pa := pfp ie wos) ve( Vz E XS), 
(fr: Pr)reR 
p€ H: o(p)=YES 

which states that all nodes end up in a halting state that outputs YES. 

Basically, the subformulas (yq)qeq and (Yr)rer can be constructed in such 
a way that for all i € N, the (i + 1)-th stage of the partial fixpoint induction 
represents the configuration reached by A in the i-th round. To achieve this, 
each of the subformulas contains a nested partial fixpoint formula describing 
the result computed by the transition maker A between two consecutive syn- 
chronous rounds, using additional set and function variables to encode the inner 
configurations of A at each node. Thus, each stage of the nested partial fix- 
point induction corresponds to a single step in the transition maker’s sequential 
scanning process. 


Let us now consider the opposite direction and sketch how to go from func- 
tional fixpoint logic to distributed register automata. 


Proposition 10. For every formula of functional fixpoint logic that defines a 
graph property, we can construct an equivalent distributed register automaton. 


Proof (sketch). We proceed by structural induction: each subformula y will be 
evaluated by a dedicated automaton A,, and several such automata can then be 
combined to build an automaton for a composite formula. For this purpose, it 
is convenient to design centralized automata, which operate on a givenspanning 
tree (as computed in Example5) and are coordinated by the root in a fairly 
sequential manner. In A,, each free node variable x of y is represented by a 
corresponding input register x whose value at the root is the current interpre- 
tation x7 of x. Similarly, to represent a function variable f, every node v has a 
register f storing f’(v). The nodes also possess some auxiliary registers whose 
purpose will be explained below. In the end, for any formula y (potentially 
with free variables), we will have an automaton A, computing a transduction 
Ta,: C(I, {parent, root} U free(y)) — C({YES, NO}, Ø), where parent and root 
are supposed to constitute a spanning tree. The computation is triggered by the 
root, which means that the other nodes are waiting for a signal to wake up. 


Identifiers in Registers — Describing Network Algorithms with Logic 129 


Algorithm 2. Ay, for y = pfp[fi: Pilici: Y, as controlled by the root 


init(Ainc) 
repeat 
@every node do fori € [1:4] do fi — f?°” 
for i € [1:£] do update( f?°”) 
if @every node (Vi € [1:4]: f?°” = fi) then goto 8 
until execute(Ainc) returns NO /* until global counter at maximum */ 
@every node do for i € [1:4] do fi — self 
execute(A,) 


o N ABR WN e 


Essentially, the nodes involved in the evaluation of y collect some information, 
send it towards the root, and go back to sleep. The root then returns YES or NO, 
depending on whether or not y holds in the input graph under the variable 
assignment provided by the input registers. Centralizing A, in that way makes 
it very convenient (albeit not efficient) to evaluate composite formulas. For exam- 
ple, in Ayyy, the root will first run A,, and then Ay in case A, returns NO. 
The evaluation of atomic formulas is straightforward. So let us focus on the 
most interesting case, namely when ¢ = pfp| fi: pilie Y. The root’s program is 
outlined in Algorithm 2. Line 1 initializes a counter that ranges from 0 to n —1, 
where n is the number of nodes in the input graph. This counter is distributed 
in the sense that every node has some dedicated registers that together store the 
current counter value. Every execution of Aine will increment the counter by 1, or 
return NO if its maximum value has been exceeded. Now, in each iteration of the 
loop starting at Line 2, all registers f; and f°” are updated in such a way that 
they represent the current and next stage, respectively, of the partial fixpoint 
induction. For the former, it suffices that every node copies, for all 7, the contents 
of fP°Y to fi (Line 3). To update f?°”, Line 4 calls a subroutine update( f°) 
whose effect is that f?°” = Fy,((fi)ie(q) for all i, where Fp: (VY) > VY is 
the operator defined in Sect. 4. Line 5 checks whether we have reached a fixpoint: 
The root asks every node to compare, for all 2, its registers fP°” and fi. The 
corresponding truth value is propagated back to the root, where false is given 
preference over true. If the result is true, we exit the loop and proceed with 
calling Ay to evaluate 7 (Line 8). Otherwise, we try to increment the global 
counter by executing Aine (Line 6). If the latter returns NO, the fixpoint com- 
putation is aborted because we know that it has reached a cycle. In accordance 
with the partial fixpoint semantics, all nodes then write their own identifier to 
every register f; (Line 7) before w is evaluated (Line 8). 


6 Conclusion 


This paper makes some progress in the development of a descriptive distributed 
complexity theory by establishing a logical characterization of a wide class of 
network algorithms, modeled as distributed register automata. 


130 B. Bollig et al. 


In our translation from logic to automata, we did not pay much attention to 
algorithmic efficiency. In particular, we made extensive use of centralized subrou- 
tines that are triggered and controlled by a leader process. A natural question for 
future research is to identify cases where we can understand a distributed archi- 
tecture as an opportunity that allows us to evaluate formulas faster. In other 
words, is there an expressive fragment of functional fixpoint logic that gives 
rise to efficient distributed algorithms in terms of running time? What about 
the required number of messages? We are then entering the field of automatic 
synthesis of practical distributed algorithms from logical specifications. This is a 
worthwhile task, as it is often much easier to declare what should be done than 
how it should be done (cf. Examples6 and 8). 

As far as the authors are aware, this area is still relatively unexplored. How- 
ever, one noteworthy advance was made by Grumbach and Wu in [9], where they 
investigated distributed evaluation of first-order formulas on bounded-degree 
graphs and planar graphs. We hope to follow up on this in future work. 
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Abstract. Discounted-sum games provide a formal model for the study 
of reinforcement learning, where the agent is enticed to get rewards 
early since later rewards are discounted. When the agent interacts with 
the environment, she may realize that, with hindsight, she could have 
increased her reward by playing differently: this difference in outcomes 
constitutes her regret value. The agent may thus elect to follow a regret- 
minimal strategy. In this paper, it is shown that (1) there always exist 
regret-minimal strategies that are admissible—a strategy being inad- 
missible if there is another strategy that always performs better; (2) 
computing the minimum possible regret or checking that a strategy is 
regret-minimal can be done in coNP™P, disregarding the computational 
cost of numerical analysis (otherwise, this bound becomes PSpace). 


Keywords: Admissibility - Discounted-sum games - 
Regret minimization 


1 Introduction 


A pervasive model used to study the strategies of an agent in an unknown envi- 
ronment is two-player infinite horizon games played on finite weighted graphs. 
Therein, the set of vertices of a graph is split between two players, Adam and 
Eve, playing the roles of the environment and the agent, respectively. The play 
starts in a given vertex, and each player decides where to go next when the play 
reaches one of their vertices. Questions asked about these games are usually of 
the form: Does there exist a strategy of Eve such that... ? For such a question 
to be well-formed, one should provide: 


1. A valuation function: given an infinite play, what is Eve’s reward? 
2. Assumptions about the environment: is Adam trying to help or hinder Eve? 


The valuation function can be Boolean, in which case one says that Eve 
wins or loses (one very classical example has Eve winning if the maximum value 
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appearing infinitely often along the edges is even). In this setting, it is often 
assumed that Adam is adversarial, and the question then becomes: Can Eve 
always win? (The names of the players stem from this view: is there a strategy 
of Jve that always beats Vdam?) The literature on that subject spans more than 
35 years, with newly found applications to this day (see [4] for comprehensive 
lecture notes, and [7] for an example of recent use in the analysis of attacks in 
cryptocurrencies). 

The valuation function can also aggregate the numerical values along the 
edges into a reward value. We focus in this paper on discounted sum: if w is 
the weight of the edge taken at the n-th step, Eve’s reward grows by à” - w, 
where A € (0,1) is a prescribed discount factor. Discounting future rewards is a 
classical notion used in economics [18], Markov decision processes [9, 16], systems 
theory [1], and is at the heart of Q-learning, a reinforcement learning technique 
widely used in machine learning [19]. In this setting, we consider three attitudes 
towards the environment: 


— The adversarial environment hypothesis translates to Adam trying to min- 
imize Eve’s reward, and the question becomes: Can Eve always achieve a 
reward of x? This problem is in NP N coNP [20] and showing a P upper-bound 
would constitute a major breakthrough (namely, it would imply the same for 
so-called parity games [15]). A strategy of Eve that maximizes her rewards 
against an adversarial environment is called worst-case optimal. Conversely, 
a strategy that maximizes her rewards assuming a collaborative environment 
is called best-case optimal. 

— Assuming that the environment is adversarial is drastic, if not pessimistic. Eve 
could rather be interested in settling for a strategy o which is not consistently 
bad: if another strategy o’ gives a better reward in one environment, there 
should be another environment for which ø is better than o’. Such strategies, 
called admissible [5], can be seen as an a priori rational choice. 

— Finally, Eve could put no assumption on the environment, but regret not 
having done so. Formally, the regret value of Eve’s strategy is defined as the 
maximal difference, for all environments, between the best value Eve could 
have obtained and the value she actually obtained. Eve can thus be inter- 
ested in following a strategy that achieves the minimal regret value, aptly 
called a regret-minimal strategy [10]. This constitutes an a posteriori ratio- 
nal choice [12]. Regret-minimal strategies were explored in several contexts, 
with applications including competitive online algorithm synthesis [3,11] and 
robot-motion planning [13, 14]. 


In this paper, we single out a class of strategies for Eve that first follow a 
best-case optimal strategy, then switch to a worst-case optimal strategy after 
some precise time; we call these strategies optipess. Our main contributions are 
then: 


1. Optipess strategies are not only regret-minimal (a fact established in [13]) 
but also admissible—note that there are regret-minimal strategies that are 
not admissible and vice versa. On the way, we show that for any strategy of 
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Eve there is an admissible strategy that performs at least as well; this is a 
peculiarity of discounted-sum games. 

2. The regret value of a given time-switching strategy can be computed with 
an NP algorithm (disregarding the cost of numerical analysis). The main 
technical hurdle is showing that exponentially long paths can be represented 
succinctly, a result of independent interest. 

3. The question Can Eve’s regret be bounded by «? is decidable in NP®” (again 
disregarding the cost of numerical analysis, PSpace otherwise), improving on 
the implicit NExp algorithm of [13]. The algorithm consists in guessing a 
time-switching strategy and computing its regret value; since optipess strate- 
gies are time-switching strategies that are regret-minimal, the algorithm will 
eventually find the minimal regret value of the input game. 


Structure of the Paper. Notations and definitions are introduced in Sect. 2. The 
study of admissibility appears in Sect. 3, and is independent from the complexity 
analysis of regret. The main algorithm devised in this paper (point 2 above) is 
presented in Theorem 5, Sect. 6; it relies on technical lemmas that are the focus 
of Sects. 4 and 5. We encourage the reader to go through the statements of the 
lemma sections, then through the proof of Theorem 5, to get a good sense of the 
role each lemma plays. 

In more details, in Sect. 4 we provide a crucial lemma that allows to represent 
long paths succinctly, and in Sect.5, we argue that the important values of a 
game (regret, best-case, worst-case) have short witnesses. In Sect. 6, we use these 
lemmas to devise our algorithms. 


2 Preliminaries 


We assume familiarity with basic graph and complexity theory. Some more spe- 
cific definitions and known results are recalled here. 


Game, Play, History. A (discounted-sum) game G is a tuple (V, vo, Va, E, w, A) 
where V is a finite set of vertices, vo is the starting vertex, V3 C V is the subset 
of vertices that belong to Eve, E C V x V is a set of directed edges, w: E > Z 
is an (edge-)weight function, and 0 < A < 1 is a rational discount factor. The 
vertices in V \ V3 are said to belong to Adam. Since we consider games played 
for an infinite number of turns, we will always assume that every vertex has at 
least one outgoing edge. 

A play is an infinite path vjvo--- E€ V® in the digraph (V, E). A history 
h = vı -+ -vn isa finite path. The length of h, written |h|, is the number of edges 


it contains: |A] tn — 1. The set Hist consists of all histories that start in vo 


and end in a vertex from V3. 


Strategies. A strategy of Eve in G is a function o that maps histories ending in 
some vertex v € V3 to a neighbouring vertex v’ (i.e., (v,v’) € E). The strategy 
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a is positional if for all histories h, h’ ending in the same vertex, o(h) = o(h’). 
Strategies of Adam are defined similarly. 

A history h = v1 +- -Vn is said to be consistent with a strategy o of Eve if for 
all i > 2 such that v; € V3, we have that o(v,---uj-1) = vi. Consistency with 
strategies of Adam is defined similarly. We write Hist(c) for the set of histories 
in Hist that are consistent with ø. A play is consistent with a strategy (of either 
player) if all its prefixes are consistent with it. 

Given a vertex v and both Adam and Eve’s strategies, 7 and ø respectively, 
there is a unique play starting in v that is consistent with both, called the 
outcome of T and o on v. This play is denoted out” (o, T). 

For a strategy o of Eve and a history h € Hist(c), we let op be the strategy 
of Eve that assumes h has already been played. Formally, o,(h’) = o(h-h’) for 
any history h’ (we will use this notation only on histories h’ that start with the 
ending vertex of h). 


Values. The value of a history h = v1 --- Un is the discounted sum of the weights 


on the edges: 
|h|—1 


Val(h) = 5 Nw(v;,Vi41) 
i=0 


The value of a play is simply the limit of the values of its prefixes. 
The antagonistic value of a strategy o of Eve with history h = v1 +- vp, is 
the value Eve achieves when Adam tries to hinder her, after h: 


def Val(h) + lal -inf Val(out’"(on,7)) , 


aVal” (o) 
where 7 ranges over all strategies of Adam. The collaborative value cVal” (o) 
is defined in a similar way, by substituting “sup” for “inf.” We write aVal” 
(resp. cVal”) for the best antagonistic (resp. collaborative) value achievable by 
Eve with any strategy. 


Types of Strategies. A strategy o of Eve is strongly worst-case optimal (SWO) 
if for every history h we have aVal"(c) = aVal”; it is strongly best-case opti- 
mal (SBO) if for every history h we have cVal* (o) = cVal”. 

We single out a class of SWO strategies that perform well if Adam turns out to 
be helping. A SWO strategy o of Eve is strongly best worst-case optimal (SBWO) 
if for every history h we have cVal"(c) = acVal", where: 


acVal’ 4 sup{cVal"(a’) | o’ is a SWO strategy of Eve} . 


In the context of discounted-sum games, strategies that are positional and 
strongly optimal always exist. Furthermore, the set of all such strategies can be 
characterized by local conditions. 
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Lemma 1 (Follows from [20, Theorem 5.1]). There exist positional SWO, 
SBO, and SBWO strategies in every game. For any positional strategy o of Eve: 


- (Ww € V) [aVal’(c) = aVal’] iff o is SWO; 


- (Ww € V) [eVal’(o) = cVal”] iff o is SBO; 
- (Vu € V) [aVal” (o) = aVal” ^ cVal” (o) = acVal”] iff o is SBWO. 


Regret. The regret of a strategy o of Eve is the maximal difference between 
the value obtained by using o and the value obtained by using an alternative 
strategy: 


Reg (o) sup ((sep Val(out” (o’, »)) — Val(out” (ø, ”) 


where r and o’ range over all strategies of Adam and Eve, respectively. The 
(minimal) regret of G is then Reg © inf, Reg (c). 

Regret can also be characterized by considering the point in history when 
Eve should have done things differently. Formally, for any vertices u and v let 
cVal".,, be the maximal cVal"(c) for strategies o verifying oa(u) # v. Then: 


Lemma 2 ({13, Lemma 13]). For all strategies o of Eve: 
Reg (o) = sup far (cVal” (4) — aVal”*(on)) | h = voun € Hist(o)} 


Switching and Optipess Strategies. Given strategies 01,02 of Eve and a threshold 
function t: V3 + NU{oo}, we define the switching strategy 01-02 for any history 
h =v ,-++ Un ending in V3 as: 


o2(h) if (aifi > t(vi)], 
o1(h) otherwise. 


01 +02(h) = 


We refer to histories for which the first condition above holds as switched his- 
tories, to all others as unswitched histories. The strategy o = Oia is said to 
be bipositional if both cı and a2 are positional. Note that in that case, for all 
histories h, if h is switched then cp = og, and otherwise o, is the same as ø 
but with t(v) changed to max{0,t(v) — |h|} for all v € V3. In particular, if |A| is 
greater than max{t(v) < oo}, then op is nearly positional: it switches to a2 as 
soon as it sees a vertex with t(v) 4 co. 

A strategy o is perfectly optimistic-then-pessimistic (optipess, for short) if 
there are positional SBO and SBWO strategies o$°° and o®>¥° such that o = 
gÞoŽ,gsbwo where t(v) = inf {ieN | A (cVal” — aVal”) < Reg}. 
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Theorem 1 ([13]). For all optipess strategies o of Eve, Reg (o) = Reg. 


Conventions. As we have done so far, we will assume throughout the paper 
that a game G is fixed—with the notable exception of the results on complexity, 
in which we assume that the game is given with all numbers in binary. Regard- 
ing strategies, we assume that bipositional strategies are given as two positional 
strategies and a threshold function encoded as a table with binary-encoded entries. 


* 
xk x 


Example 1. Consider the following game, where round vertices are owned by 
Eve, and square ones by Adam. The double edges represent Eve’s positional 
strategy oa: 


uw 
Uy 0 


OO) HO O: 


Eve’s strategy has a regret value of 2\?/(1— A). This is realized when Adam 
plays from vo to v1, from vi to x, and from vi to y. Against that strategy, Eve 
ensures a discounted-sum value of 0 by playing according to o while regretting 
not having played to v’ to obtain 2\?/(1 — A). | 


3 Admissible Strategies and Regret 


There is no reason for Eve to choose a strategy that is consistently worse than 
another one. This classical idea is formalized using the notions of strategy dom- 
imation and admissible strategies. In this section, which is independent from the 
rest of the paper, we study the relation between admissible and regret-minimal 
strategies. Let us start by formally introducing the relevant notions: 


Definition 1. Let 01,02 be two strategies of Eve. We say that o is weakly 
dominated by o2 if Val(out’?(o1,7)) < Val(out’’(02,7)) for every strategy T 
of Adam. We say that o is dominated by o2 if o is weakly dominated by o2 
but not conversely. A strategy o of Eve is admissible if it is not dominated by 
any other strategy. 


In other words, admissible strategies are maximal elements for the weak- 
domination pre-order. 
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Example 2. Consider the following game, where the strategy o of Eve is shown 
by the double edges: 


s SGA vz |e OR >| V1 


This strategy guarantees a discounted-sum value of 6\?(1—.) against any strat- 
egy of Adam. Furthermore, it is worst-case optimal since playing to vı instead 
of vg would allow Adam the opportunity to ensure a strictly smaller value by 
playing to vï. The latter also implies that o is admissible. Interestingly, playing 
to vı is also an admissible behavior of Eve since, against a strategy of Adam 
that plays from vı to v4, it obtains 10\?(1 — A) > 6\?(1 — A). a 


The two examples above can be used to argue that the sets of strategies that 
are regret minimal and admissible, respectively, are in fact incomparable. 


Proposition 1. There are regret-optimal strategies that are not admissible and 
admissible strategies that have suboptimal regret. 


Proof (Sketch). Consider once more the game depicted in Example 1 and recall 
that the strategy o of Eve corresponding to the double edges has minimal regret. 
This strategy is not admissible: it is dominated by the alternative strategy o’ of 
Eve that behaves like o from vı but plays to v4 from vz. Indeed, if Adam plays 
to vı from vg then the outcomes of ø and o’ are the same. However, if Adam 
plays to və then the value of the outcome of ø is 0 while the value of the outcome 
of o’ is strictly greater than 0. 

Similarly, the strategy o depicted by double edges in the game from 
Example 2 is admissible but not regret-minimizing. In fact, her strategy o’ that 
consists in playing vı from vo has a smaller regret. 


In the rest of this section, we show that (1) any strategy is weakly dominated 
by an admissible strategy; (2) being dominated entails more regret; (3) optipess 
strategies are both regret-minimal and admissible. We will need the following: 


Lemma 3 ((6]). A strategy o of Eve is admissible if and only if for every his- 
tory h € Hist(c) the following holds: either cVal” (o) > aVal" or aVal"(c) = 
cVal"(c) = aVal” = acVal”. 


The above characterization of admissible strategies in so-called well-formed 
games was proved in [6, Theorem 11]. Lemma 3 follows from the fact that 
discounted-sum games are well-formed. 


3.1 Any Strategy Is Weakly Dominated by an Admissible Strategy 


We show that discounted-sum games have the distinctive property that every 
strategy is weakly dominated by an admissible strategy. This is in stark contrast 
with most cases where admissibility has been studied previously [6]. 
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Theorem 2. Any strategy of Eve is weakly dominated by an admissible strategy. 


Proof (Sketch). The main idea is to construct, based on øg, a strategy o’ that will 
switch to a SBWO strategy as soon as o does not satisfy the characterization of 
Lemma 3. The first part of the argument consists in showing that ø is indeed 
weakly dominated by ø’. This is easily done by comparing, against each strategy 
T of Adam, the values of o and o’. The second part consists in verifying that 
o’ is indeed admissible. This is done by checking that each history h consistent 
with o’ satisfies the characterization of Lemma 3, that is cVal”(o') > aVal” or 
aVal"(o’) = eVal"(o’) = aVal” = acVal”. 


3.2 Being Dominated Is Regretful 


Theorem 3. For all strategies o,0' of Eve such that o is weakly dominated 
by o', it holds that Reg (o’) < Reg (øo). 


Proof. Let o, o’ be such that o is weakly dominated by o’. This means that for 
every strategy T of Adam, we have that Val(7) < Val(z’) where 7 = out™ (0,7) 
and n’ = out™ (o', T). Consequently: we obtain 


(sup Val(out”? (o".7))) — Val(n’) < (sup Val(out"(0",7))) —Val(z) . 
As this holds for any 7, we can conclude that sup, sup, (Val(out’?(o”,7)) — 
Val(out”’®(o’,7))) < sup, sup,,,(Val(out” (0, 7)) — Val(out’?(o,7))), that is 
Reg (0) < Reg (0). 


It follows from Proposition 1, however, that the converse of the theorem is false. 


3.3 Optipess Strategies Are both Regret-Minimal and Admissible 


Recall that there are admissible strategies that are not regret-minimal and vice 
versa (Proposition 1). However, as a direct consequence of Theorems 2 and 3, 
there always exist regret-minimal admissible strategies. It turns out that optipess 
strategies, which are regret-minimal (Theorem 1), are also admissible: 


Theorem 4. All optipess strategies of Eve are admissible. 


Proof. Let o = gbo, gsbwo be an optipess strategy; we show it is admissible. 
To this end, let h = vg...Un E€ Hist(c); we show that one of the properties of 
Lemma 3 holds. There are two cases: 

(h is switched.) In that case, a, = 08°. Since o°>¥° is an SBWO strategy, 
cVal" (a5?) = acVal’. Now if acVal” > aVal", then: 


cVal! (o) = cVal"(a°>*°) = acVal" > aVal” , 


and ø satisfies the first property of Lemma3. Otherwise acVal” = aVal” and 
the second property holds: we have that cVal"(c) = acVal”, and as o° is an 
SWO and aVal"(c) = aVal”(o5”°), we also have that aVal"(c) = aVal”. 
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(h is unswitched.) We show that cVal"(c) > aVal". Since h is unswitched, 
we have in particular that: 


Reg (o) = Reg < à” (cVal’” — aVal’") . (1) 
Furthermore: 
à” (cVal’” — aVal’”) = (Val(h) + A"cVal’”) — (Val(h) + A”aVal’”) 
= cVal" — aVal"” , 
and combining the previous equation with Eq. 1, we obtain: 


cVal" — Reg (c) > aVal” . 


To conclude, we show that Reg (o) > Val” — cVal"(c). Consider a strat- 
egy T of Adam such that h is consistent with both o®°° and r and satisfying 
Val(out”?(o*°, 7)) = eVal”. (That such a 7 exists is intuitively clear since o 
has been following the SBO strategy o°>° along h.) It holds immediately that 
cVal"(c) > Val(out’®(c,7)). Now by definition of the regret: 


Reg (a) > Val(out’®(o*°, r)) — Val(out’®(a,7)) 
> cVal” — cVal (o) . 


4 Minimal Values Are Witnessed by a Single Iterated 
Cycle 


We start our technical work towards a better algorithm to compute the regret 
value of a game. Here, we show that there are succinctly presentable histories 
that witness small values in the game. Our intention is to later use this result 
to apply a modified version of Lemma 2 to bipositional strategies to argue there 
are small witnesses of a strategy having too much regret. 

More specifically, we show that for any history h, there is another history h’ 
of the same length that has smaller value and such that h’ = a- 3" -y where 
|aBy| is small. This will allow us to find the smallest possible value among 
exponentially long histories by guessing a, 3,7, and k, which will all be small. 
This property holds for a wealth of different valuation functions, hinting at 
possible further applications. For discounted-sum games, the following suffices 
to prove the desired property holds. 


Lemma 4. For any history h =a- -y with a and y same-length cycles: 


min{Val(a? - 3), Val(G-7?)} < Val(h) . 
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Within the proof of the key lemma of this section, and later on when we use 
it (Lemma 9), we will rely on the following notion of cycle decomposition: 


Definition 2. A simple-cycle decomposition (SCD) is a pair consisting of paths 
and iterated simple cycles. Formally, an SCD is a pair D = ((ai)}-9; (Bj, kj) #1), 
where each a; is a path, each Bj is a simple cycle, and each kj is a positive 


integer. We write D(j) = B}? - aj and D(x) = ag - D(1)D(2) +++ D(n). 
By carefully iterating Lemma 4, we have: 
Lemma 5. For any history h there exists an history h! = a+ B® -y with: 


- h and h’' have the same starting and ending vertices, and the same length; 
-= Val(h’) < Val(h); 
- jaBy| < 4|V |? and B is a simple cycle. 


Proof. In this proof, we focus on SCDs for which each path a; is simple; 
we call them 8CDs. We define a wellfounded partial order on CDs. Let 
D = ((ai)'*9; (Bj, kj)%4) and D! = ((a!)?9, (34, KJ") be two 8CDs; we write 
D’ < D iff all the following holds: 


— D(x) and D’(x) have the same starting and ending vertices, the same length, 
and satisfy Val(D’(x)) < Val(D(«)) and n’ < n; 
— Either n’ < n, or |a: aly | < lao: anl, or {ki > |V|} < Hki > |V|}. 


That this order has no infinite descending chain is clear. We show two claims: 


1. Any BCD with n greater than |V| has a smaller BCD; 
2. Any BCD with two kj, kj > |V| has a smaller 8CD. 


Together they imply that for a smallest BCD D, D(x) is of the required form. 
Indeed let j be the unique value for which k; > |V|, then the statement of the 
Lemma is satisfied by letting a = ag- D(1)---D(j — 1), 8 = j, k = kj, and 
y=a;-Dij+1)---D(n). 

Claim 1. Suppose D has n > |V|. Since all cycles are simple, there are 
two cycles 8;, 8j, j < j’, of same length. We can apply Lemma4 on the path 
Bi- (ajD(j + 1)--+ D(j’ — 1)) - By, and remove one of the two cycles while 
duplicating the other; we thus obtain a similar path of smaller value. This can 
be done repeatedly until we obtain a path with only one of the two cycles, say 
Bjr, the other case being similar. Substituting this path in D(x) results in: 


ag: D(1) ++ DG): (aj DG +1) DG" = 1) By") ray DG! +1) + D(n) | 


This gives rise to a smaller BCD as follows. If a;_,a; is still a simple path, 
then the above history is expressible as an 8CD with a smaller number of cycles. 
Otherwise, we rewrite aj-10j; = a;_,(/a/, where a/;_, and a’; are simple paths 
and 7; is a simple cycle; since |a}j_104| < |aj-10;|, the resulting BCD is smaller. 
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Claim 2. Suppose D has two kj,kj > |V|, j < j’. Since each cycle in 
the BCD is simple, kj and kj are greater than both |G;| and |@;-|; let us write 
kj = b|| +r with 0 <r < |G;-|, and similarly, kj, = 0'|G;| +r’. We have: 


D(A) ++ DG) = BF (812!) -az DG +) DG! = 1) - (BPN) - BF «ap 


Noting that an | and BPs | are cycles of the same length, we can transfer all the 


occurrences of one to the other, as in Claim 1. Similarly, if two simple paths get 
merged and give rise to a cycle, a smaller BCD can be constructed; if not, then 
there are now at most r < |V| occurrences of 8; (or conversely, r’ of 3;), again 
resulting in a smaller BCD. 


5 Short Witnesses for Regret, Antagonistic, 
and Collaborative Values 


We continue our technical work towards our algorithm for computing the regret 
value. In this section, the overarching theme is that of short witnesses. We show 
that (1) the regret value of a strategy is witnessed by histories of bounded 
length; (2) the collaborative value of a game is witnessed by a simple path and 
an iterated cycle; (3) the antagonistic value of a strategy is witnessed by an SCD 
and an iterated cycle. 


5.1 Regret Is Witnessed by Histories of Bounded Length 


Lemma 6. Let o = oibo be an arbitrary bipositional switching strategy of 
Eve and let C = 2|V| + max{t(v) < co}. We have that: 


Reg (o) = max fr (cva, — aVal™” (on)) | 


(h) 
h = vo... Un € Hist(o),n < c} ; 


Proof. Consider a history h of length greater than C, and write h = hı - ho with 
|hı| = max{t(v) < co}. Let he = p - p' where p is the maximal prefix of ha such 
that hı - p is unswitched—we set p = € if h is switched. Note that one of p or p' 
is longer than |V|—say p, the other case being similar. This implies that there 
is a cycle in p, i.e., p= a- 6- y with 8 a cycle. Let h’ = h,-a-y-p’; this history 
has the same starting and ending vertex as h. Moreover, since |h,| is larger than 
any value of the threshold function, op = on’. Lastly, h’ is still in Hist(c), since 
the removed cycle did not play a role in switching strategy. This shows: 


cVal’” 


(hy Z aVal” (on) = Val”, 


hT aVal™ (ow). 

Since the length of h is greater than the length of h’, the discounted value 
for h’ will be greater than that of h, resulting in a higher regret value. There is 
thus no need to consider histories of size greater than C. 
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It may seem from this lemma and the fact that t(v) may be very large 
that we will need to guess histories of important length. However, since we 
will be considering bipositional switching strategies, we will only be interested 
in guessing some properties of the histories that are not hard to verify: 


Lemma 7. The following problem is decidable in NP: 
Given: A game, a bipositional switching strategy o, 
a number n in binary, a Boolean b, and two vertices v, v' 
Question: Is there a h € Hist(c) of length n, switched if b, 


ending in v, with o(h) = v'? 


Proof. This is done by guessing multiple flows within the graph (V, E). Here, 
we call flow a valuation of the edges E by integers, that describes the number 
of times a path crosses each edge. Given a vector in NĒ, it is not hard to check 
whether there is a path that it represents, and to extract the initial and final 
vertices of that path [17]. 


We first order the different thresholds from the strategy o = oibo: let 
V3 = {v1,v2,..., Uk} with t(vi) < t(vi+1) for all i. We analyze the structure of 
histories consistent with ø. Let h € Hist(c), and write h = h’- h” where h’ is 
the maximal unswitched prefix of h. Naturally, h’ is consistent with o and h” 
is consistent with og. Then h’ = hoh;---h;, for some i < |V3|, with: 


= hol a t(v1) and for all 1 <j < i; |h;l = t(vj+1) = t(v;); 
— For all 0 < j < i, hj does not contain a vertex vk with k < j. 


To confirm the existence of a history with the given parameters, it is thus 
sufficient to guess the value i < |V3|, and to guess į connected flows (rather than 
paths) with the above properties that are consistent with c1. Finally, we guess 
a flow for h” consistent with c2 if we need a switched history, and verify that 
it is starting at a switching vertex. The flows must sum to n + 1, with the last 
vertex being v’, and the previous v. 


5.2 Short Witnesses for the Collaborative and Antagonistic Values 


Lemma 8. There is a set P of pairs (a, 8) with a a simple path and B a simple 
cycle such that: 


- cVal™” = max{Val(a- 6”) | (a, 8) € P} and 
— membership in P is decidable in polynomial time w.r.t. the game. 


Proof. We argue that the set P of all pairs (a, 3) with a a simple path, 8 a 
simple cycle, and such that a- 8 is a path, gives us the result. 

The first part of the claim is a consequence of Lemma 1: Consider positional 
SBO strategies 7 and o of Adam and Eve, respectively. Since they are positional, 
the path out’°(¢,7) is of the form a- 8”, as required, and its value is cVal”°. 
We can thus let P be the set of all pairs obtained from such SBO strategies. 
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Moreover, it can be easily checked that for all pairs (a, 3) such that a- 8 isa 
path in the game there exists a pair of strategies with outcome a- 6B”. (Note that 
verifying whether a- 8 is a path can indeed be done in polynomial time given a 
and 8.) Finally, the value Val(a - 8“) will, by definition, be at most cVal™”. 


Lemma 9. Let o be a bipositional switching strategy of Eve. There is a set K 
of pairs (D, 3) with D an SCD and B a simple cycle such that: 


- aVal™” (o) = min{Val(D(x) - 8”) | (D, 8) € K} and 
— the size of each pair is polynomially bounded, and membership in K is decid- 
able in polynomial time w.r.t. o and the game. 


Proof. We will prove that the set K of all pairs (D, 3) with D an SCD of poly- 
nomial length (which will be specified below), 8 a simple cycle, and such that 
D(x) - @ is a path, satisfies our claims. 

Let C = max{t(v) < co}, and consider a play m consistent with o that 
achieves the value aVal™ (o). Write 7 = h- 7x’ with |h| = C, and let v be the 
final vertex of h. Naturally: 


aVal™” (o) = Val(r) = Val(h) + \!"!Val(z’) . 


We first show how to replace 7’ by some a: 3”, with a a simple path and 
8 a simple cycle. First, since 7 witnesses aVal™ (øo), we have that Val(z’) = 
aVal” (on). Now øn is positional, because |h| > C.' It is known that there 
are optimal positional antagonistic strategies + for Adam, that is, that sat- 
isfy aVal” (op) = out” (on, T). As in the proof of Lemma8, this implies that 
aVal” (on) = Val(a- 8”) = Val(z’) for some a and 8; additionally, any (a, 8) 
that are consistent with g, and a potential strategy for Adam will give rise to a 
larger value. 

We now argue that Val(h) is witnessed by an SCD of polynomial size. This 
bears similarity to the proof of Lemma 7. Specifically, we will reuse the fact that 
histories consistent with o can be split into histories played “between thresholds.” 

Let us write o = oibo. Again, we let V3 = {v1, v2,..., Uk} with t(vj) < 
t(vj41) for all i and write h = h’-h” where h’ is the maximal unswitched prefix 
of h. We note that h’ is consistent with o, and h” is consistent with o2. Then 
h! = hoha --- hi, for some i < |V3|, with: 


= hol = t(v1) and for all 1 < j <4, |h5| = t(vj;41) = t(v;); 
— For all 0 < j < i, hj does not contain a vertex vz with k < j. 


We now diverge from the proof of Lemma 7. We apply Lemma 5 on each hj 
in the game where the strategy cı is hardcoded (that is, we first remove every 
edge (u,v) € V3 x V that does not satisfy o1(u) = v). We obtain a history 
hoh{,--- hi that is still in Hist(c), thanks to the previous splitting of h. We also 
apply Lemma 5 to h’, this time in the game where c» is hardcoded, obtaining h”. 
Since each h and h” are expressed as a- BF .y, there is an SCD D with no more 


1 Technically, op, is positional in the game that records whether the switch was made. 
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than |V3| elements that satisfies Val(D(x)) < Val(h)—naturally, since Val(h) 
is minimal and D(x) € Hist(c), this means that the two values are equal. Note 
that it is not hard, given an SCD D, to check whether D(x) € Hist(c), and that 
SCDs that are not valued Val(h) have a larger value. 


6 The Complexity of Regret 


We are finally equipped to present our algorithms. To account for the cost of 
numerical analysis, we rely on the problem PosSLP [2]. This problem consists 
in determining whether an arithmetic circuit with addition, subtraction, and 
multiplication gates, together with input values, evaluates to a positive inte- 
ger. PosSLP is known to be decidable in the so-called counting hierarchy, itself 
contained in the set of problems decidable using polynomial space. 


Theorem 5. The following problem is decidable in NPP!” ; 


Given: — A game, a bipositional switching strategy o, 
a value r E€ Q in binary 
Question: Is Reg (a) >r? 


Proof. Let us write ¢ = 01->09. Lemma 6 indicates that Reg (c) > r holds if 
there is a history h of some length n < C = 2|V| + max{t(v) < oo}, ending in 
some Vp such that: 

A” (eVa o) —aVal’” (on)) >ra (2) 
Note that since ø is bipositional, we do not need to know everything about h. 
Indeed, the following properties suffice: its length n, final vertex vn, v’ = a(h), 
and whether it is switched. Rather than guessing h, we can thus rely on Lemma 7 
to get the required information. We start by simulating the NP machine that 
this lemma provides, and verify that n, vn, and v are consistent with a potential 
history. 

Let us now concentrate on the collaborative value that we need to evaluate 
in Eq.2. To compute cVal, we rely on Lemma8, which we apply in the game 
where Un is set initial, and its successor forced not to be v. We guess a pair 
(ac, Bc) € P; we thus have Val(a, - BY) < eVa r iny with at least one guessed 
pair (œc, 3.) reaching that latter value. 

Let us now focus on computing aVal™” (op). Since ø is a bipositional switch- 
ing strategy, on is simply o where t(v) is changed to max{0, t(v) — n}. Lemma 9 
can thus be used to compute our value. To do so, we guess a pair (D, 3a) € K; 
we thus have Val(D(x)- GY) > aVal”™ (op), and at least one pair (D, Ba) reaches 
that latter value. 

Our guesses satisfy: 


cVal” in) — aVal™” (on) > Val(a- - 6%) — Val(D(x) - BY) , 
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and there is a choice of our guessed paths and SCD that gives exactly the left- 
hand side. Comparing the left-hand side with r can be done using an oracle to 
PosSLP, concluding the proof. 


pPosSLP , 


Theorem 6. The following problem is decidable in coNP™ 
Given: A game, a value r € Q in binary 
Question: Is Reg >r? 


Proof. To decide the problem at hand, we ought to check that every strategy has 
a regret value greater than r. However, optipess strategies being regret-minimal, 
we need only check this for a class of strategies that contains optipess strategies: 
bipositional switching strategies form one such class. 

What is left to show is that optipess strategies can be encoded in polynomial 
space. Naturally, the two positional strategies contained in an optipess strategy 
can be encoded succinctly. We thus only need to show that, with ¢ as in the 
definition of optipess strategies (page 5), t(v) is at most exponential for every 
v € Va with t(v) € N. This is shown in the long version of this paper. 


Theorem 7. The following problem is decidable in coN pNP, 


Given: A game, a bipositional switching strategy o 


Question: Is o regret optimal? 


Proof. A consequence of the proof of Theorem 5 and the existence of optipess 
strategies is that the value Reg of a game can be computed by a polynomial 
size arithmetic circuit. Moreover, our reliance on PosSLP allows the input r in 
Theorem 5 to be represented as an arithmetic circuit without impacting the com- 
plexity. We can thus verify that for all bipositional switching strategies o’ (with 
sufficiently large threshold functions) and all possible polynomial size arithmetic 
circuits, Reg(o) > r implies that Reg(o’) > r. The latter holds if and only 
if o is regret optimal since, as we have argued in the proof of Theorem 6, such 
strategies o’ include optipess strategies and thus regret-minimal strategies. 


7 Conclusion 


We studied regret, a notion of interest for an agent that does not want to assume 
that the environment she plays in is simply adversarial. We showed that there 
are strategies that both minimize regret, and are not consistently worse than 
any other strategies. The problem of computing the minimum regret value of a 
game was then explored, and a better algorithm was provided for it. 

The exact complexity of this problem remains however open. The only known 
lower bound, a straightforward adaptation of [14, Lemma 3] for discounted-sum 
games, shows that it is at least as hard as solving parity games [15]. 
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Our upper bound could be significantly improved if we could efficiently solve 
the following problem: 


PosRatBase 
Given: (a;i)? € Z”, (bi); € N”, and r € Q all in binary, 


Question: Is X ;_} a; - r™ > 0? 


This can be seen as the problem of comparing succinctly represented numbers 
in a rational base. The PosSLP oracle in Theorem 5 can be replaced by an oracle 
for this seemingly simpler arithmetic problem. The variant of PosRatBase in 
which r is an integer was shown to be in P by Cucker, Koiran, and Smale [8], 
and they mention that the complexity is open for rational values. To the best of 
our knowledge, the exact complexity of PosRatBase is open even for n = 3. 
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Abstract. Commuting conversions of Linear Logic induce a notion of 
dependency between rules inside a proof derivation: a rule depends on 
a previous rule when they cannot be permuted using the conversions. 
We propose a new interpretation of proofs of Linear Logic as causal 
invariants which captures exactly this dependency. We represent causal 
invariants using game semantics based on general event structures, carv- 
ing out, inside the model of [6], a submodel of causal invariants. This 
submodel supports an interpretation of unit-free Multiplicative Additive 
Linear Logic with MIX (MALL7 ) which is (1) fully complete: every ele- 
ment of the model is the denotation of a proof and (2) injective: equality 
in the model characterises exactly commuting conversions of MALL”. 
This improves over the standard fully complete game semantics model 
of MALL~. 


Keywords: Event structures - Linear Logic - Proof nets - 
Game semantics 


1 Introduction 


Proofs up to commuting conversions. In the sequent calculus of Linear Logic, the 
order between rules need not always matter: allowed reorderings are expressed 
by commuting conversions. These conversions are necessary for confluence of 
cut-elimination by mitigating the sequentiality of the sequent calculus. The real 
proof object is often seen as an equivalence class of proofs modulo commuting 
conversions. The problem of providing a canonical representation of proofs up to 
those commuting conversions is as old as Linear Logic itself, and proves to be a 
challenging problem. The traditional solution interprets a proof by a graphical 
representation called proof net and dates back to Girard [17]. Girard’s solution 
is only satisfactory in the multiplicative-exponential fragment of Linear Logic. 
For additives, a well-known solution is due to Hughes and van Glabbeck [22], 
where proofs are reduced to their set of axiom linkings. However, the correctness 
criterion relies on the difficult toggling condition. 

Proof nets tend to be based on specific representations such as graphs or 
sets of linkings. Denotational semantics has not managed to provide a seman- 
tic counterpart to proof nets, which would be a model where every element is 
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u:X+@xt, v:XƏX u:X+ & Y, : Y 


u[inl] v[inl] u(inl) ~ u(inr) 


(a) | | (b) ys a v[inr] 
u: Xt —, ol a ee a 


Fig. 1. Examples of causal invariants 


the interpretation of a proof (full completeness) and whose equational theory 
coincides with commuting conversions (injectivity). We believe this is because 
denotational semantics views conversions as extensional principles, hence models 
proofs with extensional objects (relations, functions) too far from the syntax. 
Conversions essentially state that the order between rules applied to different 
premises does not matter, as evidenced in the two equivalent proofs of the sequent 
+ X+@X+,X@X depicted on the right. These two proofs are equal in exten- 
sional models of Linear Logic because they have the same extensional behaviour. 
Unfortunately, characterising the Ax Ax 
image of the interpretation proved - X+, X ® a X+, X ® 
to be a difficult task in extensional X+, XOX io + X+ @X+,X P 
models. The first fully complete + X'@xt,X@X 1 Exe X+, XX ‘ 
models used game semantics, and 
are due to Abramsky and Melliés (MALL) [1] and Melliés (Full LL) [24]. How- 
ever, their models use an extensional quotient on strategies to satisfy the con- 
versions, blurring the concrete nature of strategies. 


The true concurrency of conversions. Recent work [5] highlights an interpreta- 
tion of Linear Logic as communicating processes. Rules become actions whose 
polarity (input or output) is tied to the polarity of the connective (negative or 
positive), and cut-elimination becomes communication. In this interpretation, 
each assumption in the context is assigned a channel on which the proof com- 
municates. Interestingly, commuting conversions can be read as asynchronous 
permutations. For instance, the conversion mentioned above becomes the equa- 
tion in the syntax of Wadler [27]: 


(1) ulin]. v[inl]. [u > v] = vinl]. ulini]. [uo v] > u: X+ X+,v: XOX, 


where u[inl] corresponds to a ®ı-introduction rule on (the assumption cor- 
responding to) u, and [u + v] is the counterpart to an axiom between the 
hypothesis corresponding to u and v. It becomes then natural to consider that 
the canonical object representing these two proofs should be a concurrent pro- 
cess issuing the two outputs in parallel. A notion of causality emerges from 
this interpretation, where a rule depends on a previous rule below in the tree 
when these two rules cannot be permuted using the commuting conversions. This 
leads us to causal models to make this dependency explicit. For instance, the two 
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processes in (1) can be represented as the partial order depicted in Fig. 1a, where 
dependency between rules is marked with —. 

In presence of &, a derivation stands for several execution (slices), given by 
different premises of a &-rule (whose process equivalent is u.case (P,Q) and 
represents pattern matching on an incoming message). The identity on X GY, 
corresponding to the proof 


u.case (v[in]l].[u > v], v[inr].[uc v]) > u: X+&Y+,u0: XY, 


is interpreted by the event structure depicted in Fig. 1b. Event structures [28] 
combine a partial order, representing causality, with a conflict relation repre- 
senting when two events cannot belong to the same execution (here, same slice). 
Conflict here is indicating with ~~ and separates the slices. The &-introduction 
becomes two conflicting events. 


u(inl) ~ u(inr) v(inl) ~~ v(inr) u(inl) ~~ u(inr) v(inl) ~- v(inr) 
| es. No Ga 
w[inl] v~a w [in 1] w[inr] w[inl] w[inr] 
(a) as prime event structures (b) as general event structures 


Fig. 2. Representations of or 


Conjunctive and disjunctive causalities. Consider the process on the context 
u:(X @X)+,u:(Y GY)+,w: (X @Y) O(X 8Y) implementing disjunction: 
(a (w[inl]. P, w[inl]. P), 
or = u.case 


where P = w{z]. (fu = w] | [v  a]). 
v.case ee eee [e]. (l IIT D 


Cuts of or against a proof starting with u[inl] or v[in1] answer on w after 
reduction: 


(vu)(or | u[inl]) +* wļin1].v.case (P, P) (vv)(or | v[inl]) =* w[in1].u.case (P, P) 


where (vu)(P | Q) is the process counterpart to logical cuts. This operational 
behaviour is related to parallel or, evaluating its arguments in parallel and 
returning true as soon as one returns true. Due to this intentional behaviour, the 
interpretation of or in prime event structures is nondeterministic (Fig. 2a), as 
causality in event structures is conjunctive (an event may only occur after all its 
predecessors have occurred). By moving to general event structures, however, we 
can make the disjunctive causality explicit and recover determinism (Fig. 2b). 


Contributions and outline. Drawing inspiration from the interpretation of proofs 
in terms of processes, we build a fully complete and injective model of unit-free 
Multiplicative Additive Linear Logic with MIX (MALL7), interpreting proofs 
as general event structures living in a submodel of the model introduced by 
[6]. Moreover, our model captures the dependency between rules, which makes 
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sequentialisation a local operation, unlike in proof nets, and has a more uniform 
acyclicity condition than [22]. 

We first recall the syntax of MALL” and its reading in terms of processes in 
Sect. 2. Then, in Sect.3, we present a slight variation on the model of [6], where 
we call the (pre)strategies causal structures, by analogy with proof structures. 
Each proof tree can be seen as a (sequential) causal structure. However, the space 
of causal structures is too broad and there are many causal structures which 
do not correspond to any proofs. A major obstacle to sequentialisation is the 
presence of deadlocks. In Sect. 4, we introduce a condition on causal structures, 
ensuring deadlock-free composition, inspired by the interaction between 7? and 
® in Linear Logic. Acyclic causal structures are still allowed to only explore 
partially the game, contrary to proofs which must explore it exhaustively, hence 
in Sect. 5, we introduce further conditions on causal structures, ensuring a strong 
sequentialisation theorem (Theorem 2): we call them causal nets. In Sect. 6, we 
define causal invariants as maximal causal nets. Every causal net embeds in a 
unique causal invariant; and a particular proof P embeds inside a unique causal 
invariant which forms its denotation [|P]. Moreover, two proofs embed in the 
same causal invariant if and only if they are convertible (Theorem 4). Finally, 
we show how to equip causal invariants with the structure of *-autonomous 
category with products and deduce that they form a fully complete model of 
MALL- (Theorem 6) for which the interpretation is injective. 

The proofs are available in the technical report [7]. 


Interpretation 
proof trees (§ 2) causal invariants (§ 6) 


Sequentialisation causal nets (§ 5) 
acyclic causal structures (§ 4) 
causal structures (§ 3) 


2 MALL- and Its Commuting Conversions 


In this section, we introduce MALL” formulas and proofs as well as the standard 
commuting conversions and cut elimination for this logic. As mentioned in the 
introduction, we use a process-like presentation of proofs following [27]. This 
highlights the communicating aspect of proofs which is an essential intuition for 
the model; and it offers a concise visualisation of proofs and conversions. 


Formulas. We define the formulas of MALL”: T, S:=X | X+|T@s|TRS| 
TOS |T&S, where X and X+ are atomic formulas (or Itterals) belonging to a 
set A. Formulas come with the standard notion of duality (-)+ given by the De 
Morgan rules: ® is dual to 9, and @ to &. An environment is a partial mapping 
of names to formulas, instead of a multiset of formulas — names disambiguate 
which assumption a rule acts on. 
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Proofs as processes. We see proofs of MALL” (with MIX) as typing derivations 
for a variant of the z-calculus [27]. The (untyped) syntax for the processes is as 
follows: 


P,Q :=u(v).P | ujv]. (P | Q) (multiplicatives) 
| u.case (P,Q) | u[inl]. P | uļlinr]. P (additives) 
| [uv] | vu)(P|Q)| (P| Q) (logical and mix) 


u(v).P denotes an input of v on channel u (used in 79-introduction) while 
ulv].(P | Q) denotes output of a fresh channel v along channel u (used in ®- 
introduction); The term [u +> v] is a link, forwarding messages received on u to v, 
corresponds to axioms, and conversely; and (vu)(P | Q) represents a restriction 
of u in P and Q and corresponds to cuts; u.case (P, Q) is an input branching 
representing &-introductions, which interacts with selection, either u[inl]. R or 
u[inr]. R; in (vu)(P | Q), u is bound in both P and Q, in u(v). P, v is bound in 
P, and in ujv]. (P | Q), v is only bound in Q. 

We now define MALL” proofs as typing derivations for processes. The infer- 
ence rules, recalled in Fig. 3, are from [27]. The links (axioms) are restricted to 
literals — for composite types, one can use the usual 7-expansion laws. There is a 
straightforward bijection between standard (7-expanded) proofs of MALL” and 
typing derivations. 


Pou:T,v:S,0 Peu:T,T Qev:S,A4 
u(v).Peu:T 8S,0 ulv].(P|Q)>u: Tes IA [u e v]> u: X*+,v:X 
P»T,u:T Q»4A,u:T> P»>T,u:T Q>T,u:5S P»>T,u: T 
(vu)(P | Q)>T,4 u.case (P, Q)> T, u : T&S uļlinl].P»>T,u:T®S 
P»T,u: S Pol Q»>A 
u[inr].Pel,u:Tes P|Qer,A 
QrA,v:S 
H ulinl].[]:T,u:T >T,u:T®S Fulv].(0|Q:Gu:Toau:Tes lA 
P>», u: T 
h ulinr].[]:T,u: S >T,u:T®S H uiv]. (PID) :4,v:S su:T@S,TA 
+ u.case ([j, [2): @M,u:T)x M, u: S) >T,u:T &S 
Ped Por 
H uv). []:T,u:T,v: S >T,u: T8 S t(0IÐ:r>T,4 t(P|D:4>T,4 


Fig. 3. Typing rules for MALL” (above) and contexts (below) 


Commutation rules and cut elimination. We now explain the valid commuta- 
tions rules in our calculus. We consider contexts C [[]1,..-, [n] with several holes 
to accomodate & which has two branches. Contexts are defined in Fig. 3, and 
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are assigned a type 7) X... X I, = A. It intuitively means that if we plug proofs 
of T; in the holes, we get back a proof of 4. We use the notation C[Pj]; for 
C|P.,...,; Pn] when (P;) is a family of processes. Commuting conversion is the 
smallest congruence = satisfying all well-typed instances of the rule C[D[P,,;] ;]i = 
D|C|P; jli]; for C and D two contexts. For instance a[inl].b.case(P,Q) = 
b.case (a[inl]. P, a[inl]. Q). Figure 4 gives reduction rules P — Q. The first four 
rules are the principal cut rules and describe the interaction of two dual terms, 
while the last one allows cuts to move inside contexts. 


3 Concurrent Games Based on General Event Structures 


This section introduces a slight variation on the model of [6]. In Sect.3.1, we 
define games as prime event structures with polarities, which are used to inter- 
pret formulas. We then introduce general event structures in Sect. 3.2, which are 
used to define causal structures. 


(vu)([u e v] | P) > Plv/u] (vu)(u[x]. (P | Q) | ux). R) > (u)(P | (vx)(Q | R)) 
(vu)(u[inl]. R | u.case (P, Q)) > (vu(R | P) — (vu)(ufinr].R | u.case (P, Q)) > (vu)(R | Q) 


WCIP: | Q) > Clow(Pi| Qi UEC) 


Fig. 4. Cut elimination in MALL™ 


3.1 Games as Prime Event Structures with Polarities 


Definition of games. Prime event structures [28] (simply event structures in 
the rest of the paper) are a causal model of nondeterministic and concurrent 
computation. We use here prime event structures with binary conflict. An event 
structure is a triple (E, <m, #g) where (E, <p) is a partial order and #p is 
an irreflexive symmetric relation (representing conflict) satisfying: (1) if e € F, 
then [e] := {e’ € E | e' <p e} is finite; and (2) if e#me’ and e <p e” then 
e" #pg e. We often omit the E subscripts when clear from the context. 

A configuration of E is a downclosed subset of Æ which does not contain 
two conflicting events. We write (E) for the set of finite configurations of E. 
For any e € E, |e] is a configuration, and so is fe) := [e] \ {e}. We write e > e’ 
for the immediate causal relation of E defined as e < e’ with no event between. 
Similarly, a conflict e#e’ is minimal, denoted e ~~ e’, when the [e] U [e’) and 
le) U [e’] are configurations. When drawing event structures, only —-> and ~~ are 
represented. We write max(F) for the set of maximal events of E for <p. An 
event e is maximal in x when it has no successor for <p in x. We write maxg x 
for the maximal events of a configuration x € @(£). 

An event structure E is confusion-free when (1) for alle ~g e then [e) = 
[e’) and (2) ife ~p e” and e ~p e” then e = e” ore ~p e”. Asa result, the 
relation “e ~~ e’ ore = e’” is an equivalence relation whose equivalent classes a 
are called cells. 
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Definition 1. A game is a confusion-free event structure A along with an 
assignment pol: A — {—,+} such that cells contain events of the same polarity, 
and a function atom:max(A) —> A mapping every maximal event of A to an 
atom. Events with polarity — (resp. +) are negative (resp. positive). 


Events of a game are usually called moves. The restriction imposes branching to 
be polarised (i.e. belonging to a player). A game is rooted when two minimal 
events are in conflict. Single types are interpreted by rooted games, while con- 
texts are interpreted by arbitrary games. When introducing moves of a game, we 
will indicate their polarity in exponent, e.g. “let at € A” stands for assuming a 
positive move of A. 


Interpretation of formulas. To interpret formulas, we make use of standard con- 
structions on prime event structures. The event structure a- E is E prefixed with 
a, i.e. EU {a} where all events of E depends on a. The parallel composition of 
E and E’ represents parallel executions of E and E’ without interference: 


Definition 2. The parallel composition of event structures Ag and A, is the 
event structure Ag || A = ({O} x Ao U {1} x Ai, SAollA1: Æo) with 
(i, a) S Ao || Ar (j, a’) iffi = J and a SA, a’; and (i, a) # Ao|| Ar (j, a’) when i = J 
and a#a, a. 


The sum of event structure E + F is the nondeterministic analogue of parallel 
composition. 


Definition 3. The sum Ao + A, of the two event structures Ao and A, has the 
same partial order as Ao || Ai, and conflict relation (i, a) #a,+a, (J,a) ifi Fj 
ori= j and a#a; a. 


Prefixing, parallel composition and sum of event structures extend to games. The 
dual of a game A, obtained by reversing the polarity labelling, is written At. 
Given x € @(A), we define A/a (“A after x”) as the subgame of A comprising 
the events a € A \ x not in conflict with events in x. 


Interpretation of formulas. The interpretation of the atom X is the game with 
a single positive event simply written X with atom(X) = X, and the interpre- 
tation of X+ is [X]+, written simply X+ in diagrams. For composite formulas, 
we let (where send, inl and inr are simply labels): 

[S 2 T] = send* - ([S] || ITD [S 3 T] = sena™ - ([S] || [TI 

[S T] = (in1* - [S]) + (inr* - [T]) [S & T] = (inl~ - [S]) + (inr™ - [T]) 


Parallel composition is used to interpret contexts: Jur: T1,...,Un: Tn] = [T] |I 
... || [Za]. The interpretation commutes with duality: [T]+ = [T+]. 

In diagrams, we write moves of a context following the syntactic convention: 
for instance u[in1] denotes the minimal inl move of the u component. For 
tensors and pars, we use the notation u[v] and u(v) to make explicit the variables 
we use in the rest of the diagram, instead of sendt and send” respectively. For 
atoms, we use u : X and u: Xt. 
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3.2 Causal Structures as Deterministic General Event Structures 


As we discussed in Sect.1, prime event structures cannot express disjunctive 
causalities deterministically, hence fail to account for the determinism of LL. 
Our notion of causal structure is based on general event structures, which allow 
more complex causal patterns. We use a slight variation on the definition of 
deterministic general event structures given by [6], to ensure that composition 
is well-defined without further assumptions. 

Instead of using the more concrete representation of general event struc- 
tures in terms of a set of events and an enabling relation, we use the following 
formulation in terms of set of configurations, more adequate for mathematical 
reasoning. Being only sets of configurations, they can be reasoned on with very 
simple set-theoretic arguments. 


Definition 4. A causal structure (abbreviated as causal struct) on a game A 
is a subset o C C(A) containing Ó and satisfying the following conditions: 


Coincidence-freeness If e,e' € x € o then there exists y € o with y C x and 
yN {e,e'} is a singleton. 

Determinism for x,y € o such that x Uy does not contain any minimal negative 
conflict, then xU y Eø. 


Configurations of prime event structures satisfy a further axiom, stability, which 
ensures the absence of disjunctive causalities. When ø is a causal struct on A, we 
write ø : A. We draw as regular event structures, using — and ~~. To indicate 
disjunctive causalities, we annotate joins with or. This convention is not powerful 
enough to draw all causal structs, but enough for the examples in this paper. 
As an example, on A = a || b || c the diagram on the right denotes the following 
causal struct o = {x € C(A) |c E€ £ => xN {a,b} # 0}. 

A minimal event of o : A is an event a € A with {a} € ø. 
An event a € x € g is maximal in x when x\ {a} € o. A prime P 7 s 
configuration of a € A is a configuration x € o such that a á or b 
is its unique maximal event. Because of disjunctive causalities, 
an event a € A can have several distinct prime configurations in 
o (unlike in event structures). In the previous example, since c can be caused 
by either a or b, it has two prime configurations: {a,c} and {b,c}. We write 
maxo for the set of maximal configurations of o, ie. those configurations 
that cannot be further extended. 

Even though causality is less clear in general event structures than in prime 
event structures, we give here a notion of immediate causal dependence that 
will be central to define acyclic causal structs. Given a causal struct øo : A and 
x € ø, we define a relation >,,, on x as follows: a —,,, a’ when there exists 
a prime configuration y of a’ such that Uy € ø, and that a is maximal in 
y \ {a’}. This notion is compatible with the drawing above: we have a 9g c 
and b -»g c as c has two prime configurations: {a,c} and {b,c}. Causality needs 
to be contextual, since different slices can implement different causal patterns. 
Parallel composition and prefixing structures extend to causal structs: 


ollr={ellyeC(AIB)|(ey)eoxr}  — a-0= {ee C(a-A)| en Aco}. 
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Categorical setting. Causal structs can be composed using the definitions of [6]. 
Consider ø : A+ || B and 7 : B+ || C. A synchronised configuration is a 
configuration x € @(A || B || C) such that zN (A || B) € o and zN (B || C) € 
T. A synchronised configuration x is reachable when there exists a sequence 
(covering chain) of synchronised configurations zo = O C xı C... C En =£ 
such that xi+ı \ z; is a singleton. The reachable configurations are used to define 
the interaction T ® o, and then after hiding, the composition T © ø: 


T7®o = {zx is a reachable synchronised configuration} TOo = {£N (A || C)|%E€7@o}. 


Unlike in [6], our determinism is strong enough for T@c to be a causal struct. 


Lemma 1. Ifo: A+ || B andr: B+ || C are causal structs then TOC is a 
causal struct. 


Composition of causal structs will be used to interpret cuts between proofs of 
Linear Logic. In concurrent game semantics, composition has a natural identity, 
asynchronous copycat [25], playing on the game A+ || A, forwarding negative 
moves on one side to the positive occurrence on the other side. Following [6], we 
define «4 = {x || y € @(At+ || A) | y 23 xNy Ch x} where x C? y means x C y 
and pol(y \ x) C {p}. 

However, in general copycat is not an identity on all causal structs, only 
o C æa ©c holds. Indeed, copycat represents an asynchronous buffer, and 
causal structs which expects messages to be transmitted synchronously may be 
affected by composition with copycat. We call causal structs that satisfy the 
equality asynchronous. From [6], we know that asynchronous causal structs 
form a compact-closed category. 


The syntactic tree. The syntactic tree of a derivation P » 4 can be read as a causal 
struct Tr(P) on [4], which will be the basis for our interpretation. It is defined by 
induction: 


Tr(u(v). P) = u(v) - Tr(P) Tr(ulv]. (P | Q)) = ulv] - (Tr(P) || Tr(Q)) 
Tr(a.case (P, Q)) = (a(inl) - Tr(P)) U (a(inr) - Tr(Q)) 
Tr(a{inl]. P) = afin] - Tr(P) Tr(alinr]. P) = aļinr] - Tr(P) 
Tr([a © b]) = cyx where 4 =a: X+,b:X Tr(P | Q) = Tr(P) || Tr(Q) 


Tr((va)(P | Q)) = Tr(P) © Tr(Q) 


We use the convention in the diagram, for instance u[v] means the initial send 
move of the u component. An example of this construction is given in Fig. 5a. 
Note that it is not asynchronous. 


4 Acyclicity of Causal Structures 


The space of causal structs is unfortunately too broad to provide a notion of 
causal nets, due in particular to the presence of deadlocks during composition. 
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As a first step towards defining causal nets, we introduce in this section a con- 
dition on causal structs inspired by the tensor rule in Linear Logic. In Sect. 4.1, 
we propose a notion of communication between actions, based on causality. In 
Sect. 4.2, we introduce a notion of acyclicity which is shown to be stable under 
composition and ensure deadlock-free composition. 


4.1 Communication in Causal Structures 


The tensor rule of Linear Logic says that after a tensor ul[v], the proof splits 
into two independent subproofs, one handling u and the other v. This syntactic 
condition is there to ensure that there are no communications between u and v. 
More precisely, we want to prevent any dependence between subsequent actions 
on u and an action v. Indeed such a causal dependence could create a dead- 
lock when facing a par rule u(v), which is allowed to put arbitrary dependence 
between such subsequent actions. 


Communication in MLL. Let us start by the case of MLL, which corresponds to 
the case where games do not have conflicts. Consider the following three causal 
structs: 


The causal structs cı and a2 play on the game [u: X+ @ Y+,v: X ¥ Y], while 
gz plays on the game |u : X+ @ Y+,v: X @Y]. The causal structs a2 and o3 are 
very close to proof nets, and it is easy to see that a2 represents a correct proof net 
while o3 does not. In particular, there exists a proof P such that Tr(P) C o2 but 
there are no such proof Q for a3. Clearly, 03 should not be acyclic. But should 
o2? After all it is sequentialisable. But, in all sequentialisations of a2, the par 
tule v(z) is applied before the tensor u[w], and this dependency is not reflected 
by og. Since our goal is exactly to compute these implicit dependencies, we will 
only consider gı to be acyclic, by using a stronger sequentialisation criterion: 


Definition 5. A causal struct o : [I] is strongly sequentialisable when for 
all x € o, there exists Pè r with x € Tr(P) and Tr(P) Co. 


To understand the difference between cı and a2, we need to look at causal 
chains. In both cı and c2, we can go from u : X+ to w : Y+ by following 
immediate causal links — in any direction, but observe that in gı they must all 
cross an event below u[w] (namely v(z) or u[w]). This prompts us to define a 
notion of communication outside a configuration x: 


Definition 6. Given o : A and x E€ o we say that a,a’ E€ A\ x communicate 
outside x (written a s o a’) when there exists a chain a +g o a0 o: 4go 
An +g a where all the a; E A\ x, and +z o denotes the symmetric closure of 


Paro: 
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Communication in MALL. In presence of additives, immediate causality is not 
the only vector of communication. Consider the following causal struct o4, play- 
ing on the context u : (A& A) @(A& A),v : (A9 A) & (A@ A) where A is 


irrelevant: 


u(inl) ~ u(inr) w(inr) ~ w(inr) > v[inl] v[inr] v[inl] v[inr] 
= ulw] i v(inl) ~ v(inr) 


This pattern is not strongly sequentialisable: the tensor u[w] must always go after 
the &-introduction on v, since we need this information to know how whether 
v should go with u or w when splitting the context. Yet, it is not possible to 
find a communication path from one side to the other by following purely causal 
links without crossing u[w]. There is however a path that uses both immediate 
causality and minimal conflict. This means that we should identify events in 
minimal conflict, since they represent the same (&-introduction rule). Concretely, 
this means lifting the previous definition at the level of cells. Given an causal 
struct 0: A and x € ø, along with two cells a,a’ of A/a, we define the relation 
a +z o a’ when there exists a € a and a’ € a’ such that a+, a'; anda wg o a’ 
when there exists a gso 9 go t o Gn g a’ where all the a; do not 
intersect x. For instance, the two cells which are successors of the tensor u[w] 
in o4 communicate outside the configuration {u[w]} by going through the cell 


{v(inl), v(inr)}. 


4.2 Definition of Acyclicity on Casual Structures 


Since games are trees, two events a,a’ are either incomparable or have a meet 
aa’. If a Aa’ is defined and positive, we say that a and a’ have positive 
meet, and means that they are on two distinct branches of a tensor. If a A a! 
is undefined, or defined and negative, we say that aA a’ has a negative meet. 
When the meet is undefined, it means that a and a’ are events of different 
components of the context. We consider the meet to be negative in this case, 
since components of a context are related by an implicit par. 

These definitions are easily extended to cells. The meet a ^ a’ of two cells 
a and a’ of A is the meet a Aa’ for a € a and a’ € a’: by confusion-freeness, 
it does not matter which ones are chosen. Similarly, we say that a and a’ have 
positive meet if a ^a’ is defined and positive; and have negative meet otherwise. 
These definitions formalise the idea of “the two sides of a tensor”, and allow us 
to define acyclicity. 


Definition 7. A causal struct o : A is acyclic when for all x € o, for any cells 
a,a’ not intersecting x and with positive meet, if a «y o a then a ^d ¢ x. 


This captures the desired intuition: if a and a’ are on two sides of a tensor a (ie. 
have positive meet), and there is a communication path outside x relating them, 
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then a must also be outside x (and implicitly, the communication path must be 
going through a). 

Reasoning on the interaction of acyclic strategies proved to be challenging. 
We prove that acyclic strategies compose, and their interaction are deadlock- 
free, when composition is on a rooted game B. This crucial assumption arises 
from the fact that in linear logic, cuts are on formulas. It entails that for any 
b,b' € B, b Ab is defined, hence must be positive either from the point of view 
of o or of T. 


Theorem 1. For acyclic causal structs o : At || B and 7 : Bt || C, (1) their 
interaction is deadlock-free: T®o = (a || C)N(A || 7); and (2) the causal struct 
TOo is acyclic. 


As a result, acyclic and asynchronous causal structs form a category. We 
believe this intermediate category is interesting in its own right since it gener- 
alises the deadlock-freeness argument of Linear Logic without having to assume 
other constraints coming from Linear Logic, such as linearity. In the next section, 
we study further restriction on acyclic causal structs which guarantee strong 
sequentialisability. 


5 Causal Nets and Sequentialisation 


We now ready to introduce causal nets. In Sect.5.1, we give their definition by 
restricting acyclic causal structs and in Sect. 5.2 we prove that causal nets are 
strongly sequentialisable. 


5.1 Causal Nets: Totality and Well-Linking Casual Structs 


To ensure that our causal structs are strongly sequentialisable, acyclicity is not 
enough. First, we need to require causal structs to respect the linearity discipline 
of Linear Logic: 


Definition 8. A causal struct o : A is total when (1) for x € o, if x is maximal 
in o, then it is maximal in @(A); and (2) for x € o anda” € A\ x such that 
xU {a} € ø, then whenever 4a ~~, 4’, we also have x U {a'} € o as well. 


The first condition forces a causal struct to play until there are no moves to play, 
and the second forces an causal struct to be receptive to all Opponent choices, 
not a subset. 

Our last condition constrains axiom links. A linking of a game A is a pair 
(x, 0) of ax € max (A), and a bijection £ : (maxa x) ~ (max, x)* preserving 
the atom labelling. 


Definition 9. A total causal struct o : A is well-linking when for each x € 
max(a), there exists a linking ly of x, such that if y is a prime configuration of 


l,(e) in x, then max(y \ {l,(e)}) = {e}. 
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This ensures that every positive atom has a unique predecessor which is a neg- 
ative atom. 


Definition 10. A causal net is an acyclic, total and well-linking causal struct. 


A causal net o : A induces a set of linkings A, link(c) := {¢, | z E€ maxo}. The 
mapping link(-) maps causal nets to the proof nets of [22]. 


5.2 Strong Sequentialisation of Causal Nets 


Our proof of sequentialisation relies on an induction on causal nets. To this 
end, we provide an inductive deconstruction of parallel proofs. Consider o : A 
a causal net and a minimal event a € ø not an atom. We write A/a for A/{a}. 
Observe that if A = [A], it is easy to see that there exists a context 4/a such 
that [4/a]] = A/a. Given a causal struct o : A, we define the causal struct o/a = 
{x E @(A/a) |xU {a} eo}: A/a. 


Lemma 2. c/a is a causal net on A/a. 


When a is positive, we can further decompose o/a in disjoint parts thanks to 
acyclicity. Write a,,...,@, for the minimal cells of A/a and consider for n > k > 
0, Ap = {a € A/a | cell(a’) «¢4},, ax}. Ax contains the events of A/a which o 
connects to the k-th successor of a. We also define the set Ag = A/a\U,<,<,, Ak; 
of events not connected to any successor of a (this can happen with MIX). It 
inherits a game structure from A. 

Each subset inherits a game structure from A/a. By acyclicity of ø, the 


Ax are pairwise disjoint, so A/a = Ao || ... || An. For 0 < k < n, define 
On = 6 (Ap) N/a. 
Lemma 3. cp is a causal net on Ax and we have ofa = oo || ..- || On. 


This formalises the intuition that after a tensor, an acyclic causal net must be 
a parallel composition of proofs (following the syntactic shape of the tensor rule 
of Linear Logic). From this result, we show by induction that any causal net is 
strongly sequentialisable. 


Theorem 2. Ifa: A is a causal net, then o is strongly sequentialisable. 


We believe sequentialisation without MIX requires causal nets to be connected: 
two cells with negative meets always communicate outside any configuration 
they are absent from. We leave this lead for future work. 


6 Causal Invariants and Completeness 


Causal nets are naturally ordered by inclusion. When ø C 7, we can regard T as 
a less sequential implementation of ø. Two causal nets which are upper bounded 
by a causal net should represent the same proof, but with varying degrees of 
sequentiality. Causal nets which are maximal for inclusion (among causal nets) 
are hence most parallel implementations of a certain behaviour and capture our 
intuition of causal invariants. 


Definition 11. A causal invariant is a causal net o : A mazimal for 
inclusion. 
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6.1 Causal Invariants as Maximal Causal Nets 


We start by characterising when two causal nets are upper-bounded for inclusion: 


Proposition 1. Given two causal nets 0,7: A, the following are equivalent: 


1. there exists a causal net v : A such that o Cv and T Cv, 
2. the seto VrT={xUy|uveo,yeT, cUy € C(A)} is a causal net on A, 
3. link(a) = link(r). 


In this case we write o | T anda VT is the least upper bound of o and T for C. 


It is a direct consequence of Proposition 1 that any causal net ø is included 
in a unique causal invariant o! : A, defined as: o? = V T, where T ranges 
over causal nets. 


oct 


Lemma 4. For o,r : A causal nets, o | T iffa! =7!. Moreover, ifo and T are 
causal invariants, o | T if and only ifo = T. 


u:X v:Y viZ u:X v:Y viZ 
t t t T t $ 
w:Xt we: Yt w:Zt u:Xt wi Yt w:Zt a gee 
ae al i eee | A x zz yY xXx y 
v v ws as y 
î Pee. By %,, 8w 
vv’) or v(v’) 
an 
u(u’) u(u’) 
(a) Tr(P) (b) [P], its interpretation (c) The proof net for P 
Fig. 5. Interpreting P = u(u’). v(v’). w[w’]. (lu > w] | ([w’ => v'] | [w © v])) in the 


context u : X 3 Z+,u:Z8Y,w:Xt+@yt 


The interpretation of a proof P>4 is simply defined as |P] = Tr(P)!. Figure 5c 
illustrates the construction on a proof of MLL+mix. The interpretation features 
a disjunctive causality, as the tensor can be introduced as soon as one of the 
two pars has been. 

Defining link(P) = link(Tr(P)), we have from Lemma 4: link(P) = link(Q) 
if and only if [|P] = [Q]. This implies that our model has the same equational 
theory than the proof nets of [22]. Such proof nets are already complete: 


Theorem 3 ([22]). For P,Q two proofs of T, we have P = Q iff link(P) = 
link(Q). 


As a corollary, we get: 


Theorem 4. For cut-free proofs P,Q we have P = Q iff [P] = IQ]. 
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The technical report [7] also provides an inductive proof not using the result 
of [22]. A consequence of this result, along with strong sequentialisation is: |P] = 
Ug=p Tr(Q). This equality justifies our terminology of “causal completeness”, 
as for instance it implies that the minimal events of [P] correspond exactly 
the possible rules in P that can be pushed to the front using the commuting 
conversions. 


6.2 The Category of Causal Invariants 


So far we have focused on the static. Can we integrate the dynamic aspect of 
proofs as well? In this section, we show that causal invariants organise themselves 
in a category. First, we show that causal nets are stable under composition: 


Lemma 5. Ifo: At || B and7: Bt || C are causal nets, then so is TOO. 


Note that totality requires acyclicity (and deadlock-freedom) to be stable 
under composition. However, causal invariants are not stable under composition: 
T©o might not be maximal, even if 7 and ø are. Indeed, during the interaction, 
some branches of 7 will not be explored by o and vice-versa which can lead to 
new allowed reorderings. However, we can always embed 7 © a into (tT @a)!: 


Lemma 6. Rooted games and causal invariants form a category CInv, where 
the composition of o : At || B andr: B+ || C is (r©a)! and the identity on A 
a 

1S Cy. 


Note that the empty game is an object of CInv, as we need a monoidal unit. 


Monoidal-closed structure. Given two games A and B we define AQ B as send* - 
(A || B), and 1 as the empty game. There is an obvious isomorphism A @1 2 A 
and A®(B@C) = (A®B)®C in Clnv. We now show how to compute directly 
the functorial action of @, without resorting to '. Consider o € CInv(A, B) 
and r € CInv(C, D). Given x € €((A 8 C)+ || (B @ D)), we define z(o) = 
xN (At || B) and 2(r) = £ N (C+ || D). If z(o) € o and z(T) € 7, we say that 
x is connected when there exists cells a, b, c and d of A, B,C and D respectively 
such that a z/o), ¢ and b +»,,,) , 0. We define: 


x € E((AQ C} || (B 8 D)) such that : 


CQT= (1) z(o) € o and z(T) ET 


(2) if x is connected and contains sendt, then send™ € x 


In (2), send refers to the minimal move of (A & C)+ and send* to the one of 
B® D. (2) ensures that ø ® 7 is acyclic. 


Lemma 7. The tensor product defines a symmetric monoidal structure on 


CInv. 
Define A 8 B = (A+ & Bt)+, L = 1 = Ø and A — B = A+ 3 B. 
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Lemma 8. We have a bijection pg c between causal invariants on A || B || C 
and on A || (B3 C). As a result, there is an adjunction A 8 -7 A — .. 


Lemma 8 implies that CInv((A — 1) — 1) ~ ClInv(A), and ClInv is 
*-autonomous. 


Cartesian products. Given two games A,B in CInv, we define their product 
A& B= inl” . A + inr” - B. We show how to construct the pairing of two 
causal invariants concretely. Given o € CInv(A,B) and r € CInv(A,C), we 
define the common behaviour of o and t on A to be those x € (AH) NaNT 
such that for all a,a’ outside of x with positive meet, a wg o a’ iff a wg r a’. 
We write o Na T for the set of common behaviours of o and 7 and define: 
(o, T) = (L7 -o)U (R= -T)UoNarT. The projections are defined using copycat: 
Tı = {x € G((A& B)+ || A) | £N (At || A) € æl,} (and similarly for 72). 


Theorem 5. CInv has products. As it is also *-autonomous, it is a model of 
MALL. 


It is easy to see that the interpretation of MALL” in CInv following the 
structure is the same as [|], however it is computed compositionally without 
resorting to the ' operator. We deduce that our interpretation is invariant by 
cut-elimination: if P — Q, then [P] = [Q]. Putting the pieces together, we get 
the final result. 


Theorem 6. CInv is an injective and fully complete model of MALL”. 


7 Extensions and Related Work 


The model provides a representation of proofs which retains only the necessary 
sequentiality. We study the phenomenon in Linear Logic, but commuting con- 
versions of additives arise in other languages, eg. in functional languages with 
sums and products, where proof nets do not necessarily exist. Having an abstract 
representation of which reorderings are allowed could prove useful (reasoning on 
the possible commuting conversions in a language with sum types is notoriously 
difficult). 


Extensions. Exponentials are difficult to add, as their conversions are not as 
canonical as those of MALL. Cyclic proofs [2] could be accomodated via recursive 
event structures. 

Adding multiplicative units while keep determinism is difficult, as their com- 
muting conversion is subtle (e.g. conversion for MLL is PSPACE-complete [18]), 
and exhibit apparent nondeterminism. For instance the following proofs are con- 
vertible in MLL: 


a(). bl] | cel] = a0). (ol | c) = 0 | a0. choa: 1,6: 1,e:1 
where a(). P is the process counterpart to introduction of L and al] of 1. Intu- 
itively, b[] and c|] can be performed at the start, but as soon as one is performed, 


166 S. Castellan and N. Yoshida 


the other has to wait for the input on a. This cannot be modelled inside determin- 
istic general event structures, as it is only deterministic against an environment 
that will emit on b. In contrast, proofs of MALL” remain deterministic even if 
their environment is not total. 

We would also be interested in recast multifocusing [9] in our setting by defin- 
ing a class of focussed causal nets, where there are no concurrency between pos- 
itive and negative events, and show that sequentialisation always give a focused 
proof. 


Related work. The first fully complete model of MALL” is based on closure 
operators [1], later extended to full Linear Logic [24]. True concurrency is used 
to define innocence, on which the full completeness result rests. However their 
model does not take advantage of concurrency to account for permutations, as 
strategies are sequential. This investigation has been extended to concurrent 
strategies by Mimram and Melliés [25,26]. De Carvalho showed that the rela- 
tional model is injective for MELL [11]. In another direction, [4] provides a fully 
complete model for MALL without game semantics, by using a glueing construc- 
tion on the model of hypercoherences. [21] explores proof nets a weaker theory 
of commuting conversions for MALL. 

The idea of having intermediate representations between proof nets and 
proofs has been studied by Faggian and coauthors using l-nets [10, 13-16], lead- 
ing to a similar analysis to ours: they define a space of causal nets as partial 
orders and compare different versions of proofs with varying degree of paral- 
lelism. Our work recasts this idea using event structures and adds the notion of 
causal completeness: keeping jumps that cannot be undone by a permutation, 
which leads naturally to step outside partial orders, as well as full completeness: 
which causal nets can be strongly sequentialised? 

The notion of dependency between logical rules has also been studied in [3] 
in the case of MLL. From a proof net R, they build a partial order Dx (R) 
which we believe is very related to [P] where P is a sequentialisation of R. 
Indeed, in the case of MLL without MIX a partial order is enough to capture the 
dependency between rules. The work [12] shows that permutation rules of Linear 
Logic, understood as asynchronous optimisations on processes, are included in 
the observational equivalence. [19] studies mutual embedding between polarised 
proof nets [23] and the control z-calculus [20]. In another direction, we have 
recently built a fully-abstract, concurrent game semantics model of the syn- 
chronous session 7-calculus [8]. The difficulty there was to understand name 
passing and the synchrony of the z-calculus, which is the dual of our objective 
here: trying to understand the asynchrony behind the conversions of MALL”. 
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Abstract. The paper develops an abstract (over-approximating) 
semantics for double-pushout rewriting of graphs and graph-like objects. 
The focus is on the so-called materialization of left-hand sides from 
abstract graphs, a central concept in previous work. The first contri- 
bution is an accessible, general explanation of how materializations arise 
from universal properties and categorical constructions, in particular par- 
tial map classifiers, in a topos. Second, we introduce an extension by 
enriching objects with annotations and give a precise characterization of 
strongest post-conditions, which are effectively computable under certain 
assumptions. 


1 Introduction 


Abstract interpretation [12] is a fundamental static analysis technique that 
applies not only to conventional programs but also to general infinite-state sys- 
tems. Shape analysis [30], a specific instance of abstract interpretation, pioneered 
an approach for analyzing pointer structures that keeps track of information 
about the “heap topology”, e.g., out-degrees or existence of certain paths. One 
central idea of shape analysis is materialization, which arises as companion oper- 
ation to summarizing distinct objects that share relevant properties. Materializa- 
tion, a.k.a. partial concretization, is also fundamental in verification approaches 
based on separation logic [5,6,24], where it is also known as rearrangement [26], 
a special case of frame inference. Shape analysis—construed in a wide sense—has 
been adapted to graph transformation [29], a general purpose modelling language 
for systems with dynamically evolving topology, such as network protocols and 
cyber-physical systems. Motivated by earlier work of shape analysis for graph 
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transformation [1,2,4,27,28,31], we want to put the materialization operation 
on a new footing, widening the scope of shape analysis. 

A natural abstraction mechanism for transition systems with graphs as states 
“summarizes” all graphs over a specific shape graph. Thus a single graph is used 
as abstraction for all graphs that can be mapped homomorphically into it. Fur- 
ther annotations on shape graphs, such as cardinalities of preimages of its nodes 
and general first-order formulas, enable fine-tuning of the granularity of abstrac- 
tions. While these natural abstraction principles have been successfully applied 
in previous work [1,2,4,27, 28,31], their companion materialization constructions 
are notoriously difficult to develop, hard to understand, and are redrawn from 
scratch for every single setting. Thus, we set out to explain materializations 
based on mathematical principles, namely universal properties (in the sense of 
category theory). In particular, partial map classifiers in the topos of graphs 
(and its slice categories) cover the purely structural aspects of materializations; 
this is related to final pullback complements [13], a fundamental construction 
of graph rewriting [7,25]. Annotations of shape graphs are treated orthogonally 
via op-fibrations. 

The first milestones of a general framework for shape analysis of graph trans- 
formation and more generally rewriting of objects in a topos are the following: 
> A rewriting formalism for graph abstractions that lifts the rule-based rewriting 
from single graphs to abstract graphs; it is developed for (abstract) objects in a 
topos. 

œ We characterize the materialization operation for abstract objects in a topos 
in terms of partial map classifiers, giving a sound and complete description of 
all occurrences of right-hand sides of rules obtained by rewriting an abstract 
object. — Sect. 3 
œ We decorate abstract objects with annotations from an ordered monoid 
and extend abstract rewriting to abstract objects with annotations. For the 
specific case of graphs, we consider global annotations (counting the nodes 
and edges in a graph), local annotations (constraining the degree of a node), 
and path annotations (constraining the existence of paths between certain 
nodes). — Sect. 4 
œ We show that abstract rewriting with annotations is sound and, with addi- 
tional assumptions, complete. Finally, we derive strongest post-conditions for 
the case of graph rewriting with annotations. — Sect. 5 


Related work: The idea of shape graphs together with shape constraints was pio- 
neered in [30] where the constraints are specified in a three-valued logic. A similar 
approach was proposed in [31], using first-order formulas as constraints. In part- 
ner abstraction [3,4], cluster abstraction [1,2], and neighbourhood abstraction 
[28] nodes are clustered according to local criteria, such as their neighbourhood 
and the resulting graph structures are enriched with counting constraints, sim- 
ilar to our constraints. The idea of counting multiplicities of nodes and edges 
is also found in canonical graph shapes [27]. The uniform treatment of monoid 
annotations was introduced in previous work [9,10,20], in the context of type 
systems and with the aim of studying decidability and closure properties, but 
not for abstract rewriting. 
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2 Preliminaries 


This paper presupposes familiarity with category theory and the topos structure 
of graphs. Some concepts (in particular elementary topoi, subobject and partial 
map classifiers, and slice categories) are defined in the full version of this paper 
[8], which also contains all the proofs. 

The rewriting formalism for graphs and graph-like structures that we use 
throughout the paper is the double-pushout (DPO) approach [11]. Although it 
was originally introduced for graphs [16], it is well-defined in any category C. 
However, certain standard results for graph rewriting require that the cate- 
gory C has “good” properties. The category of graphs is an elementary topos—an 
extremely rich categorical structure—but weaker conditions on C, for instance 
adhesivity, have been studied [14,15,21]. 


Definition 1 (Double-pushout rewriting). A production in C is a span of 
monos L «= I> R in C; the objects L and R are called left- and right-hand 
side, respectively. A match of a production p: L = I > R 

to an object X of C is a mono my: L — X in C. The L4 I—>R 
production p rewrites X to Y at my (resp. the match mi | (PO) | (PO) [mr 
mz to the co-match mpr: R — Y) if the production and ee toe 
the match (and the co-match) extend to a diagram in C, 

shown to the right, such that both squares are pushouts. 

In this case, we write X =% Y (resp. (L “4 X) £ (R™EY)). We also write 
X PN if there exists an object Y such that X =S Y and X ŻY if the specific 
match my, is not relevant. 


Given a production p and a match mz, if there exist arrows X — C and 
C — I that make the left-hand square of the diagram in Definition 1 a pushout 
square, then the gluing condition is satisfied. 

If C is an adhesive category (and thus also if it is a topos [22]) and the pro- 
duction consists of monos, then all remaining arrows of double-pushout diagrams 
of rewriting are monos [21] and the result of rewriting—be it the object Y or 
the co-match mp—is unique (up to a canonical isomorphism). 


2.1 Subobject Classifiers and Partial Map Classifiers of Graphs 


A standard category for graph rewriting that is also a topos is the category of 
edge-labelled, directed graphs that we shall use in examples, as recalled in the 
next definition. Note that due to the generality of the categorical framework, our 
results also hold for various other forms of graphs, such as node-labelled graphs, 
hypergraphs, graphs with scopes or graphs with second-order edges. 


Definition 2 (Category of graphs). Let A be a fixed set of edge labels. 
A (A-labelled) graph is a tuple G = (Va, Ec, srca, tgta, lg) where Va is a 
finite set of nodes, Eg is a finite set of edges, srcg,tgtg: Eg — Va are 
the source and target mappings and fg: Eg — A is the labelling function. 
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Let G,H be two A-labelled graphs. A graph morphism y: G — H con- 
sists of two functions py: Ve — Vy, yr: Ea > Ex, such that for each edge 
e € Eg we have srcy(pn(e)) = yv(srea(e)), totu(pa(e)) = yv(tgta(e)) and 
lr(vr(e)) = lale). If pv, ve are both bijective, p is an isomorphism. The cat- 
egory having (A-labelled) graphs as objects and graph morphisms as arrows is 
denoted by Graph. 


We shall often write y instead of yy or ye to avoid clutter. The graph 
morphisms in our diagrams will be indicated by black and white nodes and 
thick edges. In the category Graph, where the objects are labelled graphs 


over the label alphabet A, the subobject classi- f aQ A A 

fier true is displayed to the right where every “TYS: > ALTO a A 
A-labelled edge represents several edges, one for 

each A € A. 


The subobject classifier true: 1 — 92 from the terminal object 1 to 2 allows 
us to single out a subgraph X of a graph Y, by mapping Y to 92 in such a way 
that all elements of X are mapped to the image of true. 

Given arrows a,m as in the diagram in Definition3, we can construct the 
most general pullback, called final pullback complement [7,13]. 


Definition 3 (Final pullback complement). A pair of arrows I 2, F LG 

is a final pullback complement (FPBC) of another pair I & L & G if 

— they induce a pullback square a 

— for each pullback square G & Lar Lre L&I e 
G and arrow f: I' > I such that ao f =a, m (FPBC) |7 p 
there exists a unique arrow f': F! — F such f 
that Bo f! = B' and yo f = f'oy' both hold (see GS dt ae F 
the diagram to the right). a 


Final pullback complements and subobject classifiers are closely related to 
partial map classifiers (see [13, Corollary 4.6]): a category has FPBCs (over 
monos) and a subobject classifier if and only if it has a partial map classifier. 
These exist in all elementary topoi. 


Proposition 4 (Final pullback complements, subobject and partial 
map classifiers). Let C be a category with finite limits. Then the following 
are equivalent: 


(1) C has a subobject classifier true: 1 — 2 and final pullback complements for 


each pair of arrows I & L = G with m mono; 
(2) C has a partial map classifier (F : C > C,n: Id > F). 
2.2 Languages 


The main theme of the paper is “simultaneous” rewriting of entire sets of objects 
of a category by means of rewriting a single abstract object that represents 
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a collection of structures—the language of the abstract object. The simplest 
example of an abstract structure is a plain object of a category to which we 
associate the language of objects that can be mapped to it; the formal definition 
is as follows (see also [10]). 


Definition 5 (Language of an object). Let A be an object of a category C. 
Given another object X, we write X --» A whenever there exists an arrow 
from X to A. We define the language! of A, denoted by L(A), as L(A) ={X € 
C |X -->+ A}. 


Whenever X € L(A) holds, we will say that X is abstracted by A, and A 
is called the abstract object. In the following we will also need to characterize a 
class of (co-)matches which are represented by a given (co-)match (which is a 
mono). 


Definition 6 (Language of a mono). Let y: L — A be a mono in C. The 
language of p is the set of monos m with source L that factor p such that the 
square on the right is a pullback: 


Ly» X 
L(y) ={m: L= X |3: X > A) iaz (PB) lv (1) 
such that square (1) is a pullback}. Ly> A 


Intuitively, for any arrow (L % X) € L(y) we have X € L(A) and X has a 
distinguished subobject L which corresponds precisely to the subobject L — A. 
In fact w restricts and co-restricts to an isomorphism between the images of L 
in X and A. For graphs, no nodes or edges in X outside of L are mapped by w 
into the image of L in A. 


3 Materialization 


Given a production p : L =x I > R, an abstract object A, and a (possibly 
non-monic) arrow y: L — A, we want to transform the abstract object A in 
order to characterize all successors of objects in L(A), i.e., those obtained by 
rewriting via p at a match compatible with y. (Note that y is not required to 
be monic, because a monic image of the left-hand side of p in an object of L(A) 
could be mapped non-injectively to A.) Roughly, we want to lift DPO rewriting 
to the level of abstract objects. 

For this, it is necessary to use the materialization construction, defined cat- 
egorically in Sect. 3.1, that enables us to concretize an instance of a left-hand 
side in a given abstract object. This construction is refined in Sect.3.2 where 
we restrict to materializations that satisfy the gluing condition and can thus 
be rewritten via p. Finally in Sect.3.3 we present the main result about mate- 
rializations showing that we can fully characterize the co-matches obtained by 
rewriting. 


1 Here we assume that C is essentially small, so that a language can be seen as a set 
instead of a proper class of objects. 
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3.1 Materialization Category and Existence of Materialization 


From now on we assume C to be an elementary topos. We will now define the 
materialization, which, given an arrow y: L — A, characterizes all objects X, 
abstracted over A, which contain a (monic) occurrence of the left-hand side 
compatible with y. 


Definition 7 (Materialization). Let p: L — A be an arrow in C. The mate- 
rialization category for p, denoted Mat,,, has as 


objects all factorizations L — X — A of ẹ L 
whose first factor L — X is a mono, and as 
arrows from a factorization L ==> X — A a| 
to another one L >=> Y — A, all arrows L 
f: X — Y in C such that the diagram to OEE 
the right is made of a commutative triangle 
and a pullback square. 


If Mat,, has a terminal object it is denoted by L > (p) — A and is called the 
materialization of yp. 


Sometimes we will also call the object (vy) the materialization of y, omitting the 
arrows. 

Since we are working in a topos by assumption, the slice category over A 
provides us with a convenient setting to construct materializations. Note in par- 
ticular that in the diagram in Definition 7 above, the span X = L > Lisa 
partial map from X to L in the slice category over A. Hence the materialization 
(y) corresponds to the partial map classifier for L in this slice category. 


Proposition 8 (Existence of materialization). Let: L — A be an arrow 
in C, and let no: p —> F(p), with F(p): A — A, be the partial map classifier 


of p in the slice category C | A (which also is a topos).2 Then L$ A PO) A is 
the materialization of p, hence (p) = A. 


As a direct consequence of Propositions 4 and 8 (and the fact that final pull- 
back complements in the slice category correspond to those in the base category 
[25]), the terminal object of the materialization category can be constructed for 
each arrow of a topos by taking final pullback complements. 


Corollary 9 (Construction of the materialization). Let p: L — A be an 
arrow of C and let true,: A >= A x N be the subobject classifier (in the slice 


category C | A) from ida: A —> A to the projection mı: A x N? —> A. 
Ne 


Then the terminal object L Kia (O) ”. A in the L>» > (y) 
materialization category consists of the arrows F SOE 

P A p| (FPBC) iXne™. 
No and Y = T10 Xyp, where L => (p) -$ Ax 2 4 tg 
is the final pullback complement of L £ A peg Ane Ax TI A 


Ax 02. 


? This is by the Fundamental Theorem of topos theory [17, Theorem 2.31]. 
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Example 10. We construct the materialization L Ga (p) #, A for the following 
morphism y: L — A of graphs with a single (omitted) label: 


y: e >e s Q . ORTO 
oe — > ` d 
In particular, the materialization is i 
obtained as a final pullback com- | een ; j 
plement as depicted to the right (FPBC) [re 
(compare with the corresponding 
diagram in Corollary9). Note that 
edges which are not in the image of 


Np resp. true, are dashed. 


This construction corresponds to the usual intuition behind materialization: 
the left-hand side and the edges that are attached to it are “pulled out” of the 
given abstract graph. 

We can summarize the result of our constructions in the following proposition: 


Proposition 11 (Language of the materialization). Let p: L — A be an 


arrow in C and let L > (yp) — A be the corresponding materialization. Then 
we have 


L(L => (p)) ={L = X | 34: (X > A). (p = po mz)}. 


3.2 Characterizing the Language of Rewritable Objects 


A match obtained through the materialization of the left-hand side of a produc- 
tion from a given object may not allow a DPO rewriting step because of the 
gluing condition. We illustrate this problem with an example. 


LoIoR 
Example 12. Consider the material- 


ization L >=> (p) — A from e—o o o_o 
Example 10 and the pro- 
duction L «= I >> R shown in | 
the diagram to the right. It is easy 
to see that the pushout complement 
of morphisms I — L > (i) does not ° 
exist. 


(A) =T 


Nevertheless there exist factorizations L — X — A abstracted by (vy) that could 
be rewritten using the production. 


In order to take the existence of pushout complements into account, we con- 
sider a subcategory of the materialization category. 


Definition 13 (Materialization subcategory of rewritable objects). Let 
yp: L— A be an arrow of C and let pr: I — L be a mono (corresponding to the 
left leg of a production). The materialization subcategory of rewritable objects 
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for y and pz, denoted Mate is the full subcategory of Mat, containing as 
objects all factorizations L Neg are | of p, where m is a mono and I Z FE 
has a pushout complement. 

Its terminal element, if it exists, is denoted by L -5 (l, pL) > A and is 
called the rewritable materialization. 


We show that this subcategory of the materialization category has a terminal 
object. 


Proposition 14 (Construction of the rewritable materialization). Let 
p: L — A be an arrow and let pr: I — L be a mono of C. Then the rewritable 
materialization of y w.r.t. pz exists and can be constructed as the following 


factorization L 5 ((y, pL} ee A of p. In the left diagram, F is obtained 
as the final pullback complement of I 5 L = (y), where L => (y) Æ, A is the 
materialization of p (Definition 7). Next in the right diagram L “5 (yp, LY ÊF 
is the pushout of the span L 2 I = F anda is the resulting mediating arrow. 


Example 15. We come back to the running example (Example 12) and, as in 


Proposition 14, determine the final pullback complement I — F > (wp) of I = 
L > (y) (see diagram below left) and obtain Ky, pL} by taking the pushout 
over L «= I — F (see diagram below right). 


Lal Leal 


eo ¢—_X 0 eo + <0 


(FPBC) (PO) | . 


yE De | 


It remains to be shown that L — ((y, pL} — A represents every factorization 
which can be rewritten. As before we obtain a characterization of the rewritable 
objects, including the match, as the language of an arrow. 


= 


(A) aT 
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Proposition 16 (Language of the rewritable materialization). Assume 


there is a production p: L £ I £5 R and let L 5 (p, pL} be the match for the 
rewritable materialization for p and pr. Then we have 


L(L +5 dy, 1) = {LS X | ay: (X > A). (p= pomy, A X BE). 


3.3 Rewriting Materializations 


In the next step we will now rewrite the rewritable materialization (p, pz} with 
the match L “4 (K, pL}, resulting in a co-match R — B. In particular, we 
will show that this co-match represents all co-matches that can be obtained by 
rewriting an object X of L(A) at a match compatible with y. We first start with 
an example. 


Example 17. We can rewrite the materialization L — ((y, pL} > A as follows: 


e——>O0 O ex+—_O 


L or Ul ee | 
-— +2) e+) 
K a K 


Proposition 18 (Rewriting abstract matches). Let a match ng: L => A 
and a production p: L = I > R be given. Assume that A is rewritten along the 


match np, i.e., (L +5 A) & (R2 B). Then 


(1AA) = T 


MR 


L(R Š B) ={R Y | I(L > X) ELLs A). (L X) 2 (R= Y))} 


If we combine Propositions 16 and 18, we obtain the following corollary that 
characterizes the co-matches obtained from rewriting a match compatible with 
yp: L> A. 

Corollary 19 (Co-match language of the rewritable materialization). 
Lety: L > A and a production p: L £% I £5 R be given. Assume that (lp, pL) is 
obtained as the rewritable materialization of y and pr, with match L >35 (p, p1) 


(see Proposition 14). Furthermore let (L +5 (o, ¢1))) & (R %5 B). Then 


MR 


L(R B) = {R ŻY | I(L 5 X), (X £ A). (p=pomr^ 
(LS X) 8 (R Y))} 
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This result does not yet enable us to construct post-conditions for languages 
of objects. The set of co-matches can be fully characterized as the language of 
a mono, which can only be achieved by fixing the right-hand side R and thus 
ensuring that exactly one occurrence of R is represented. However, as soon as 
we forget about the co-match, this effect is gone and can only be retrieved by 
adding annotations, which will be introduced next. 


4 Annotated Objects 


We now endow objects with annotations, thus making object languages more 
expressive. In particular we will use ordered monoids in order to annotate 
objects. Similar annotations have already been studied in [20] in the context 
of type systems and in [10] with the aim of studying decidability and closure 
properties, but not for abstract rewriting. 


Definition 20 (Ordered monoid). An ordered monoid (M,+,<) consists of 
a set M, a partial order < and a binary operation + such that (M,+) is a 
monoid with unit 0 (which is the bottom element wrt. <) and the partial order is 
compatible with the monoid operation. In particular a < b impliesa+c<b+c 
andc+a < c+b for all a,b,c E€ M. An ordered monoid is commutative if + is 
commutative. 

A tuple (M,+,—,<), where (M,+,<) is an ordered monoid and — is a 
binary operation on M, is called an ordered monoid with subtraction. 

We say that subtraction is well-behaved whenever for all a,b E€ M it holds 
that a — a = 0 and (a — b) + b = a whenever b < a. 


For now subtraction is just any operation, without specific requirements. 
Later we will concentrate on specific subtraction operations and demand that 
they are well-behaved. 

In the following we will consider only commutative monoids. 


Definition 21 (Monotone maps and homomorphisms). Let Mı, Mə be 
two ordered monoids. A map h: Mı —> Mg is called monotone if a < b implies 
h(a) < h(b) for alla,b € Mı. The category of ordered monoids with subtraction 
and monotone maps is called Mon. 

A monotone map h is called a homomorphism if h(0) = 0 and h(a + b) = 
h(a) + h(b). If Mı, M2 are ordered monoids with subtraction, we say that h 
preserves subtraction if h(a — b) = h(a) — h(b). 


Example 22. Let n € N\{0} and take M,, = {0,1,...,n,x} (zero, one, ..., 
n, many) with 0 < 1 < --- < n < * and addition as (commutative) monoid 
operation with the proviso that a+b = » if the sum is larger than n. In addition 
a+ x = x for all a € Mp. Subtraction is truncated subtraction where a — b = 0 
if a < b. Furthermore * — a = x for all a € N. It is easy to see that subtraction 
is well-behaved. 
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Given a set S and an ordered monoid (with subtraction) M, it is easy to 
check that also M is an ordered monoid (with subtraction), where the elements 
are functions from S to M and the partial order, the monoidal operation and 
the subtraction are taken pointwise. 

The following path monoid is useful if we want to annotate a graph with 
information over which paths are present. Note that due to the possible fusion 
of nodes and edges caused by the abstraction, a path in the abstract graph does 
not necessarily imply the existence of a corresponding path in a concrete graph. 
Hence annotations based on such a monoid, which provide information about 
the existence of paths, can yield useful additional information. 


Example 23. Given a graph G, we denote by E% C Vg x Ve the transitive closure 
of the edge relation Eg = {(srca(e), tgta(e)) | e € Ea}. The path monoid Pa 
of G has the carrier set P(E¢ ). The partial order is simply inclusion and the 
monoid operation is defined as follows: given Py, Pı E€ Pa, we have 


P+ Pi = {(v0, Un) | Jvı,. ag Unai (vi, vi+1) (S Eis 
Jo € {0,1}, Ji+1 = 1 9554 € {0,... n — 1} and n € N}. 


That is, new paths can be formed by concatenating alternating path fragments 
from Po, P}. It is obvious to see that + is commutative and one can also show 
associativity. P = is the unit. Subtraction simply returns the first parameter: 
Po — P, = Po. 


We will now formally define annotations for objects via a functor from a 
given category to Mon. 


Definition 24 (Annotations for objects). Given a category C and a functor 
A: C — Mon, an annotation based on A for an object X € C is an element 
a € A(X). We write Ay, instead of A(y), for the action of functor A on a 
C-arrow p. We assume that for each object X there is a standard annotation 
based on A that we denote by sx, thus sx € A(X). 


It can be shown quite straightforwardly that the forgetful functor mapping 
an annotated object X [a], with a € A(X), to X is an op-fibration (or co-fibration 
[19]), arising via the Grothendieck construction. 

Our first example is an annotation of graphs with global multiplicities, count- 
ing nodes and edges, where the action of the functor is to sum up those multi- 
plicities. 


Example 25. Given n € N\{0}, we define the functor B” : Graph — Mon: For 
every graph G, B"(G) = MVYeV¥e, For every graph morphism y: G — H and 
a € B"(G), we have By (a) € MVnVEn with: 


BE (a)(y) = 5 a(x), where xz € (Va U Eg) and y € (Vy U Ep). 
p(z)=y 
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Therefore an annotation based on a functor 5” associates every item of a graph 
with a number (or the top value «). We will call such annotations multiplicities. 
Furthermore the action of the functor on a morphism transforms a multiplicity 
by summing up (in Mn) the values of all items of the source graph that are 
mapped to the same item of the target graph. 

For a graph G, its standard multiplicity sa € B” (G) is defined as the function 
which maps every node and edge of G to 1. 


As another example we consider local annotations which record the out- 
degree of a node and where the action of the functor is to take the supremum 
instead of the sum. 


Example 26. Given n € N\{0}, we define the functor S” : Graph — Mon as 
follows: For every graph G, S"(G) = M¥e. For every graph morphism vy: G > 
H and a € 8"(G), we have S% (a) € MY" with: 


SP (a)(w) = VV a(v), where v € Va and w E Vx. 


p(v)=w 


For a graph G, its standard annotation sa € S”(G) is defined as the function 
which maps every node of G to its out-degree (or * if the out-degree is larger 
than n). 


Finally, we consider annotations based on the path monoid (see Example 23). 


Example 27. We define the functor J: Graph — Mon as follows: For every 
graph G, T(G) = Pa. For every graph morphism y: G — H and P € T(G), we 
have T,(P) € Py with: 


To(P) = {(y(v), p(w)) | (v, w) € P}. 


For a graph G, its standard annotation sg € T(G) is the transitive closure of 
the edge relation, i.e., sg = Eğ. 


In the following we will consider only annotations satisfying certain properties 
in order to achieve soundness and completeness. 


Definition 28 (Properties of annotations). Let A: C — Mon be an 
annotation functor, together with standard annotations. In this setting we say 
that 


- the homomorphism property holds if whenever p is a mono, then A, is a 
monoid homomorphism, preserving also subtraction. 
— the adjunction property holds if whenever y: A >> B is a mono, then 
e A: A(A) — A(B) has a right adjoint red,: A(B) => A(A), i.e., redy is 
monotone and satisfies a < red,(A,(a)) fora E€ A(A) and A,(red,(b)) < 
b for b € A(B).2 


3 This amounts to saying that the forgetful functor is a bifibration when we restrict 
to monos, see [19, Lem. 9.1.2]. 


Rewriting Abstract Structures 181 


e red, is a monoid homomorphism that preserves subtraction. 
e it holds that red,(sB) = $a, where s4,sg are standard annotations. 


Furthermore, assuming that A, has a right adjoint redy, we say that 
— the pushout property holds, whenever for each pushout as A’ 
shown in the diagram to the right, with all arrows monos A 
where n = Y% o pı = Y2 0 p2, it holds that for every d € a| E pa 

é A 
A(D): B : 

1 

d = Ay, (redy, (d)) + (Ags (redy, (d)) — An(redn(d))). 

We say that the pushout property for standard annotations holds if we replace 
d by sp, red,(d) by sa, redy,(d) by sg and redy,(d) by sc. 


p2 


- the Beck-Chevalley property holds if whenever the square 4A—> C 
shown to the right is a pullback with p1, Y2 mono, then it al (PB) [+ 
holds for every b € A(B) that 

B— D 
Ag, (redo, (b)) = redy, (Ay (b)). Yi 


Note that the annotation functor from Example25 satisfies all properties 
above, whereas the functors from Examples 26 and 27 satisfy both the homo- 
morphism property and the pushout property for standard annotations, but do 
not satisfy all the remaining requirements [8]. 

We will now introduce a more flexible notion of language, by equipping the 
abstract objects with two annotations, establishing lower and upper bounds. 


Definition 29 (Doubly annotated object). Given a topos C and a functor 
A: C — Mon, a doubly annotated object Aļaı,a2] is an object A of C with 
two annotations a1,a2 € A(A).An arrow p: Aļaı,a2] > B[bı, b2], also called a 
legal arrow, is a C-arrow p: A — B such that A,(a1) > bı and Ag(az) < bo. 

The language of a doubly annotated object Ala,, a2] (also called the language 
of objects which are abstracted by Alay, a2]) is defined as follows: 


L(Alay, a2]) = {X E C | there exists a legal arrow p: X|sx, sx] — Alay, ae] } 


Note that legal arrows are closed under composition [9]. Examples of dou- 
bly annotated objects are given in Example36 for global annotations from 
Example 25 (providing upper and lower bounds for the number of nodes resp. 
edges in the preimage of a given element). Graph elements without annotation 
are annotated by [0, *] by default. 


Definition 30 (Isomorphism property). An annotation functor A: C > 
Mon, together with standard annotations, satisfies the isomorphism property if 
the following holds: whenever yp: X|sx,sx]| — Y|sy, Sy] is legal, then p is an 
isomorphism, i.e., L(Y[sy,sy]) contains only Y itself (and objects isomorphic 
to Y). 
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5 Abstract Rewriting of Annotated Objects 


We will now show how to actually rewrite annotated objects. The challenge is 
both to find suitable annotations for the materialization and to “rewrite” the 
annotations. 


5.1 Abstract Rewriting and Soundness 


We first describe how the annotated rewritable materialization is constructed 
and then we investigate its properties. 


Definition 31 (Construction of annotated rewritable materialization). 
Let p: L iiss R bea production and let Ala,, a2] be a doubly annotated object. 
Furthermore let p: L — A be an arrow. 

We first construct the factorization L *% ((y,g,)) % A, obtaining the 
rewritable materialization (p, pL} from Definition 13. Next, let M contain all 
maximal’ elements of the set 


{(a1,a2) € AKP, PLY)” | Anz (sz) < a3,a1 < Ay(a}), Ay(ag) < a2}. 


Then the doubly annotated objects (p, pLŅla1, 45] with (a,,a,) E€ M are the 
annotated rewritable materializations for Aļaı, a2], p and pr. 


Note that in general there can be several such materializations, differing by the 
annotations only, or possibly none. The definition of M ensures that the upper 
bound a% of the materialization covers the annotations arising from the left-hand 
side. We cannot use a corresponding condition for the lower bound, since the 
materialization might contain additional structures, hence the arrow nz is only 
“semi-legal”. A more symmetric condition will be studied in Sect. 5.2. 


Proposition 32 (Annotated rewritable materialization is terminal). 


Given a production p: L EIS R, let L ws X be the match of L in an object 
X such that X @™S, i.e., X can be rewritten. Assume that X is abstracted by 
Alay, az], witnessed by y. Let p = Yo mz and let L = (o, pL} % A the the 
corresponding rewritable materialization. Then there exists an arrow C4 and a 
pair of annotations (a,a5) E M for (p, pL} (as described in Definition 31) such 
that the diagram below commutes and the square is a pullback in the underly- 
ing category. Furthermore the triangle consists of legal arrows. This means in 
particular that Ca is legal. 


Lisz, sr X[sx, sx] TE E Alai, a2] 


Lisz, srry (2, pL) lai, a2] 


4 “Maximal” means maximality with respect to the interval order (a1, a2) 
(a1,a2) 4= a, < ai,az < ah. 
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Having performed the materialization, we will now show how to rewrite anno- 

tated objects. Note that we cannot simply take pushouts in the category of anno- 
tated objects and legal arrows, since this would result in taking the supremum 
of annotations, when instead we need the sum (subtracting the annotation of 
the interface J, analogous to the inclusion-exclusion principle). 
Definition 33 (Abstract rewriting step). Let p: L MI R bea 
production and let Ala,,a2] be an annotated abstract object. Furthermore let 
p: L — A be a match of a left-hand side, let ng: L > (p, pL} be the match 
obtained via materialization and let (a,,a,) E€ M (as in Definition 31). 

Then Ala, a2] can be transformed to B|bı, b2] via p if there are arrows such 
that the two squares below are pushouts in the base category and bı,b2 are 
defined as: 


b; = Ags (ci) aa (An; (SR) = Anropr(SI)) for tE {1, 2} 
where c1,C2 are maximal annotations such that: 


ay < Aga (cr) + (Anz (51) — Anpovs (8r)) Aga (ca) + (Anz (81) — Anpovs (Sr)) < az 


L|sz, 81] Ijs, s R|sr, sr] 


TOORE 


Kp, pL) lal, a] 4 Cher, c2) Bibi, bo] 


In this case we write Alai,a2] &¥ B[bi,b2] and say that Aļaı,a2] makes an 
abstract rewriting step to B[|b1, b2]. 


We will now show soundness of abstract rewriting, i.e., whenever an object X 
is abstracted by Aļ|aı, a2] and X is rewritten to Y, then there exists an abstract 
rewriting step from Aļaı, a2] to B[b1, b2] such that Y is abstracted by B[b1, bə]. 


Assumption: In the following we will require that the homomorphism property 
as well as the pushout property for standard annotations hold (cf. Definition 28). 


Proposition 34 (Soundness for ~~). Relation ~ is sound in the follow- 
ing sense: Let X € L(A|aı,a2]) (witnessed via a legal arrow %: X|sx,sx] > 
Aļaı,ao]) where X PZ“ Y. Then there exists an abstract rewriting step 


Alar, a2] ?S3"" Bly, by] such that Y € £L(B[b1, b2]). 


5.2 Completeness 


The conditions on the annotations that we imposed so far are too weak to guar- 
antee completeness, that is the fact that every object represented by B[b1, bə] 
can be obtained by rewriting an object represented by Aļa1, a2]. This can be 
clearly seen by the fact that the requirements hold also for the singleton monoid 
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and, as discussed before, the graph structure of B is insufficient to characterize 
the successor objects or graphs. 

Hence we will now strengthen our requirements in order to obtain 
completeness. 


Assumption: In addition to the assumptions of Sect.5.1, we will need that 
subtraction is well-behaved and that the adjunction property, the pushout prop- 
erty, the Beck-Chevalley property (Definition 28) and the isomorphism property 
(Definition 30) hold. 

The global annotations from Example 25 satisfy all these properties. In 
particular, given an injective graph morphism y: G — H the right adjoint 
red, : MY#VUE# —, MYcVEc to BP is defined as follows: given an annotation 
be MYHUEN, red (b)(x) = b(y(x)), i.e., red, simply provides a form of rein- 
dexing. 

We will now modify the abstract rewriting relation and allow only those 
abstract annotations for the materialization that reduce to the standard anno- 
tation of the left-hand side. 


Definition 35 (Abstract rewriting step —). Given y: L — A, assume that 
B[b1, bg] is constructed from Ala, a2] via the construction described in Defini- 
tions 31 and 33, with the modification that the set of annotations from which 
the set of maximal annotations M of the materialization (p, pL)) are taken, is 
replaced by: 


{(a4,,a5) E ACP, pL) )? | redn, (a4) = sz, i € {1,2},a1 < Ay(a}), Ay(ag) < aa}. 
In this case we write Alay, a2] a B[by, b2]. 


Due to the adjunction property we have An, (SL) = An, (redn,(a4)) < ah and 
hence the set M of annotations of Definition 35 is a subset of the corresponding 
set of Definition 33. 


Example 36. We give a small example of an abstract rewriting step (a more 
extensive, worked example can be found in the full version [8]). Elements without 
annotation are annotated by [0,*] by default and those with annotation [0,0] 
are omitted. Furthermore elements in the image of the match and co-match are 
annotated by the standard annotation [1,1] to specify the concrete occurrence 
of the left-hand and right-hand side. 


AcLHIR 


A [1,1 

DOLD Cc L] 4 Dc 1 "i o di ei, 1] 
í, [1,1] (1,1) 1.1) B [it 
EN n| n| [ne 
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The variant of abstract rewriting introduced in Definition 35 can still be 
proven to be sound, assuming the extra requirements stated above. 


Proposition 37 (Soundness for —). Relation — is sound in the sense of 
Proposition 84. 


Using the assumptions we can now show completeness. 


Proposition 38 (Completeness for >). If Ala;,a2] $ Blbi,b2] and Y € 
L(Blby, b2]), then there exists X € L(Ala,,a2]) (witnessed via a legal arrow 
w: X[sx,8x] > Alaı,a2]) such that X = Y and y = Yo mz. 

Finally, we can show that annotated graphs of this kind are expressive enough 
to construct a strongest post-condition. If we would allow several annotations 


for objects, as in [9], we could represent the language with a single (multiply) 
annotated object. 


Corollary 39 (Strongest post-condition). Let A|aı,a2] be an anno- 
tated object and let p: L — A. We obtain (several) abstract rewriting steps 
Alay, az] &% B[bı, bə], where we always obtain the same object B. (B is dependent 
on p, but not on the annotation.) Now let N = {(b1, b2) | Alar, a2] ah Biby, ba]}. 
Then 


LJ £( Bibi, be]) = {¥ | A(X € L(Alar, a2]), witnessed by Y), (L = X). 
(b1 ,b2)EN 
(p= pom,_AX BY Y)} 


6 Conclusion 


We have described a rewriting framework for abstract graphs that also applies 
to objects in any topos, based on existing work for graphs [1,2,4,27,28,31]. In 
particular, we have given a blueprint for materialization in terms of the universal 
property of partial map classifiers. This is a first theoretical milestone towards 
shape analysis as a general static analysis method for rule-based systems with 
graph-like objects as states. Soundness and completeness results for the rewriting 
of abstract objects with annotations in an ordered monoid provide an effective 
verification method for the special case of graphs We plan to implement the 
materialization construction and the computation of rewriting steps of abstract 
graphs in a prototype tool. 

The extension of annotations with logical formulas is the natural next 
step, which will lead to a more flexible and versatile specification language, 
as described in previous work [30,31]. The logic can possibly be developed in 
full generality using the framework of nested application conditions [18, 23] that 
applies to objects in adhesive categories. This logical approach might even reduce 
the proof obligations for annotation functors. Another topic for future work 
is the integration of widening or similar approximation techniques, which col- 
lapse abstract objects and ideally lead to finite abstract transition systems that 
(over-)approximate the typically infinite transitions systems of graph transfor- 
mation systems. 
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Abstract. In this paper, we investigate the complexity of the emptiness 
problem for Parikh automata equipped with a pushdown stack. Push- 
down Parikh automata extend pushdown automata with counters which 
can only be incremented and an acceptance condition given as a semi- 
linear set, which we represent as an existential Presburger formula over 
the final values of the counters. We show that the non-emptiness prob- 
lem both in the deterministic and non-deterministic cases is NP-c. If the 
input head can move in a two-way fashion, emptiness gets undecidable, 
even if the pushdown stack is visibly and the automaton deterministic. 
We define a restriction, called the single-use restriction, to recover decid- 
ability in the presence of two-wayness, when the stack is visibly. This syn- 
tactic restriction enforces that any transition which increments at least 
one dimension is triggered only a bounded number of times per input 
position. Our main contribution is to show that non-emptiness of two- 
way visibly Parikh automata which are single-use is NEXPTIME-c. We 
finally give applications to decision problems for expressive transducer 
models from nested words to words, including the equivalence problem. 


1 Introduction 


Parikh automata. Since the classical automata-based approach to model- 
checking [28], finite automata have been extended in many ways to tackle 
the automatic verification of more realistic and powerful systems against more 
expressive specifications. For instance, they have been extended to pushdown 
systems [3,26,30], concurrent systems [5], and systems with counters or spec- 
ifications with arithmetic constraints have been the focus of many works in 
verification [7,11,15-18, 23]. 

Along this line of work, Parikh automata (or PA), introduced in [22], are 
an important instance of automata extension with arithmetic constraints. They 
are automata on finite words whose transitions are equipped with counter oper- 
ations. The counters can only be incremented, and do not influence the run 
(enabling a transition requires no test on counter values), but the acceptance 
of a run is defined by the membership of the final counter valuations to some 
semi-linear set S. Expressivity of PAs goes beyond regularity, as the language 
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L = {w | |wla = |wly} of words having the same numbers of as and bs is realised 
by a simple automaton counting the numbers of as and bs in counters x; and x2 
respectively, and the accepting condition is given by the linear-set {(i, i) | i € IN}. 
Semi-linear sets can be defined by formulas in existential Presburger arithmetic, 
ie first-order formulas with equality and sum predicates over integers, whose free 
variables are evaluated by the counter values calculated by the run. 

A central problem in automata theory is the non-emptiness problem: does 
the automaton accepts at least one input. Although PAs go beyond regular lan- 
guages, they retain relatively good algorithmic properties. The emptiness prob- 
lem is decidable, and it is NP-c [12]. The hardness holds even if the semi-linear 
set is represented as a set of generator vectors. Motivated by applications in 
transducer theory for well-nested words, we investigate in this article extensions 
of Parikh automata with a pushdown stack. 


First contribution: pushdown Parikh automata. As a first contribution, we study 
the complexity of the emptiness problem for Parikh automata with a pushdown 
store. Parikh automata extend finite automata with counter operations and 
an acceptance condition given as a semi-linear set, pushdown Parikh automata 
extend pushdown automata in the same way. We show that adding a stack can be 
done for free with respect to the emptiness problem, which remains, as for stack- 
free Parikh automata, NP-c. However in this case, we are able to strengthen the 
lower bound: it remains NP-hard even if there are only two counters, the automa- 
ton is deterministic, and the Presburger formula only tests for equality of these 
two counters. In the stack-free setting, it is necessary to have an unfixed number 
of counters to get such a lower bound. 


Contribution 1. The emptiness problem for pushdown Parikh automata (PPA) 
is NP-c. The lower bound holds even if the automaton is deterministic, has only 
two counters whose operations are encoded in unary, and they are eventually 
tested for equality. 


Second contribution: adding two-wayness. We investigate the complexity of push- 
down Parikh automata when the input head is allowed to move in two direc- 
tions. It is not difficult to see that in that case emptiness gets undecidable, since, 
already without counters, one can simulate the intersection of two determinis- 
tic pushdown automata, by performing two passes over the input (visiting each 
input position at most three times). We consider a first restriction on the stack 
behaviour, which is required to be visibly. 

A pushdown stack is called visibly if it is driven by the type of letters it reads, 
which can be either call symbols, return symbols or internal symbols. Words 
formed over such a structured alphabet are called nested words, and well-nested 
words if additionally the call/return structure of the word is well-balanced, such 
as in the following example: 


C Cr rT er 
i N 
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Automata for nested words, called visibly pushdown automata (or VPA), have 
been introduced in [2]. They are pushdown automata whose stack behaviour 
is constrained by the input in the following way. Upon reading a call symbol, 
exactly one symbol is pushed onto the stack. Upon reading a return symbol, 
exactly one symbol is popped from it. Upon reading an internal symbol, the 
stack is left unchanged. Hence, the symbol that is pushed while reading a given 
call symbol is popped while reading its matching return symbol. Consequently, 
visibly pushdown automata enjoy nice properties, such as closure under Boolean 
operations and determinisation. 

VPA have been extended to two-way VPA (2VPA) [8] with the following stack 
constraints: in a backward reading mode, the role of the return and call symbols 
regarding the stack are inverted: when reading a call, exactly one symbol is 
popped from the stack and when reading a return, one symbol is pushed. It was 
shown in [8] that adding this visibly condition to two-way pushdown automata 
allows one to recover decidability for the emptiness problem. However, for Parikh 
acceptance, this restriction is not sufficient. Indeed, by encoding diophantine 
equations, we show the following undecidability result: 


Contribution 2. The emptiness problem for two-way visibly pushdown Parikh 
automata (2VPPA) is undecidable. 


Single-use property. The problem is that by using the combination of two- 
wayness and a pushdown stack, it is possible to encode polynomially, and even 
exponentially large counter values, with respect to the length of the input word. 
We consider therefore the single-use restriction, which appears in several trans- 
ducer models [6,8,10], by which it is possible to keep a linear behaviour for 
the counters. Informally, a single-use two-way machine bounds the size of the 
production per input positions. It is syntactically enforced by asking that tran- 
sitions which strictly increment at least one counter are triggered at most once 
per input position. Our main result is the decidability of 2VPPA emptiness under 
the single-use restriction, with tight complexity. 


Contribution 3 (Main). The emptiness problem for two-way single-use visi- 
bly pushdown Parikh automata (2VPPAg,) is NExpTime-c. The hardness holds 
even if the automaton is deterministic, has only two counters whose operations 
are encoded in unary, and they are eventually tested for equality. 


To prove the upper-bound, we show that two-wayness can be removed from 
single-use 2VPPA, at the price of one exponential. In other words, single-use 
2VPPA and VPPA have the same expressive power, although it can be shown that 
the former model is exponentially more succinct. The lower bound is obtained by 
encoding the succinct variant of the subset sum problem, based on a reduction 
which uses the fact that, by combining the pushdown and two-way features, 
single-use 2VPPA can encode doubly-exponential values 2?” with a polynomial 
number of states (in n). 
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Visibly Pushdown | Pushdown 
one-way NP-complete NP-complete 
2-way Single-use|NExptime-complete| Undecidable 
2-way| Undecidable Undecidable 


Fig. 1. Complexity of the emptiness of different Pushdown Parikh Automata. All 
results hold for deterministic and non-deterministic machines. 


Contribution 4 (Applications). As an application, we give an elementary 
upper-bound (NExpTime) for the equivalence problem of functional single-use 
two-way visibly pushdown transducers [8], while an ExpTime lower bound was 
known. This transducer model defines transductions from well-nested words to 
words and, as shown in [8], they are well-suited to define XML transformations, 
have the same expressive power as Courcelle’s MSO-transducers [6] (casted to 
well-nested words), and admit a memory-efficient evaluation algorithm. We also 
provide two other new results on single-use 2VPT (not necessarily functional). 
First, we show that given a positive integer k, it is decidable whether a single- 
use 2VPT produces at most k different output words per input (k-valuedness 
problem). Then, we show the decidability of a typechecking problem: given a 
single-use 2VPT T and a finite (stack-free) Parikh automaton P, it is decidable 
whether the codomain of T has a non-empty intersection with P. This allows for 
instance to decide whether a single-use 2VPT produces only well-nested words 
and thus describes a well-nested words to well-nested words transformation, since 
the property of a word to be non well-nested is definable, as we show, by a Parikh 
automaton. 


Finite-visit vs single-useness. The single-use property is more general than 
the more classical finite-visit restriction, used for instance in [9,19]: it requires 
to visit any input position a (machine-dependent) constant number of times, 
while single-useness only bounds the number of visits by producing transitions. 
Although, consequently to our results, 2VPPA single-use and finite-visit have 
the same expressive power, this extra modelling feature is desirable, for instance 
when using 2VPPA to test properties of 2VPT: single-use 2VPT are strictly more 
expressive than finite-visit ones, and this relaxation is crucial to capture MSO 
transductions [8]. Moreover, we somehow get it for free: we show that the NEX- 
PTIME lower bound also holds for finite-visit 2VPPA. Finally, we note that as 
we deal with single-use machines rather than finite-visit ones, the usual ingredi- 
ent for going from two-way to one-way consisting of memorizing simply crossing 
sections of states, is not sufficient to get the result here, since we cannot bound 
the size of these crossing sections. 


Related work. Parikh automata are closely related to reversal-bounded counter 
machines [18]. In fact, both models have equivalent expressiveness in the non- 
deterministic case [22]. The difference of expressive power in the deterministic 
case is due to the fact that counter machines can perform tests on its counters 
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that can influence the run, while counters in Parikh automata only matter at the 
end of the run. Several extensions of reversal-bounded counter machines were 
studied, whether they are two-way or equipped with a (visibly) pushdown stack. 
However, to the best of our knowledge, the combination of the two features has 
never been studied (see [19] for a survey). It is possible to define a model of 
single-use reversal-bounded two-way visibly pushdown counter machines, where 
the single-useness is put on transitions that modify the counters. This model 
is expressively equivalent to 2VPPA,, in the non-determinstic case, and thanks 
to our result, has a decidable emptiness problem. The non-emptiness problem 
for reversal-bounded (one-way) pushdown counter machines for fixed numbers 
of counters and reversals is known to be in NP [13] and NP-hard [16]. Convert- 
ing PPA into reversal-bounded counter machines would yield an unfixed number 
of counters. Our NP lower-bound for PPA however follows ideas of [16] about 
encoding, using the stack, integers n with O(log(n)) states and stack symbols. 

Two-way (stack-free) reversal-bounded counter machines, even deterministic, 
are known to have undecidable emptiness problem [19]. Decidability is recov- 
ered by taking the finite-visit restriction [19]. Our result on 2VPPAsy entails the 
decidability of emptiness of two-way reversal-bounded counter machines which 
are single-use. 

Finally, all the decidability results we prove on two-way visibly pushdown 
transducers were already known in the one-way case [13]. Two-way visibly push- 
down transducers, which are strictly more expressive, can also be seen as a 
model of unranked tree-to-word transducers, modulo tree linearisation. To the 
best of our knowledge, this is the first model of unranked tree-to-word transduc- 
ers for which k-valuedness and codomain well-nestedness is shown to be decid- 
able. Another model, introduced in [1], is known to be expressively equivalent 
to 2VPTsu [8], and in the functional case, has decidable equivalence problem in 
NExpTime. However, translating 2VPTsu to this model requires an exponential 
blow-up, yielding a worst complexity for equivalence testing. 


Structure. Section 2 introduces the computing models used, the proof of the lower 
bound for 2VPPA,, is given in Sect.3 and the upper bound in Sect. 4. Finally, 
some applications to the main theorem to transducers are given in Sect. 5. 


2 Two-Way Visibly Pushdown (Parikh) Automata 


In this section, we first recall the definition of two-way visibly pushdown 
automata and later on extend them to two-way visibly pushdown Parikh 
automata. 

We consider a structured alphabet » defined as the disjoint union of call 
symbols X., return symbols X, and internal symbols ;. The set of words over 
X is X*. As usual, e denotes the empty word. Amongst nested words, the set of 
well-nested words ©, is defined as the least set such that X; U {e} is included 
into U*, and if wi,we € Xš» then both wiw2 and cwir (for all c € Xe and 
r € Xp) belong to 2%. 
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When dealing with two-way machines, we assume the structured alphabet 2’ 
to be extended to X by adding a left and right marker symbols >, < in X and 
+’, respectively, and we consider words in the language >X*<. 


Definition 1. A two way visibly pushdown automaton (2VPA for short) A over 
X is given by (Q, qr, F,I,5) where Q is a finite set of states, qr € Q is the initial 
state, F C Q is a set of final states and I is a finite stack alphabet. Given the set 
D = {~, >} of directions, the transition relation ô is defined by 6?“"UdP? U nt 
where 


— §Push C ((Q x {>} x Xe) U (Q x {=} x ZY,)) x ((Q x D) x T) 
— ĝP°P C ((Q x {=} x X. x T) U (Q x {} x X, x T)) x (Q x D) 
- "t C ((Q x D x Xi) x (Q x D) 


Additionally, we require that for any states q,q' and any stack symbol y, if 
(q,—,>,y,q',d) E 8P then d =— and if (q,-,5,7,¢,d) E PP then d =— 
ensuring that the reading head stays within the bounds of the input word. 


Informally, a 2VPA has a reading head pointing between symbols (and pos- 
sibly on the left of > or the right of <). A configuration of the machine is given 
by a state, a direction d and a stack content. The next symbol to be read is on 
the right of the head if d =— and on the left if d =. Note that when reading 
the left marker from right to left — (resp. the right marker from left to right 
—), the next direction can only be — (resp. —). The structure of the alphabet 
induces the behavior of the machine regarding the stack when reading the input 
word: when reading on the right, a call symbol leads to push one symbol onto 
the stack while a return symbol pops one symbol from the stack. When reading 
on the left, a dual behaviour holds. In any direction internal transitions from 
ôt read internal symbols and do not affect the stack; hence, at a given position 
in the input word, the height of the stack is always constant at each visit of 
that position in the run of the machine. The triggering of a transition leads to 
the update of the state of the machine, the future direction as well as the stack 
content. For a direction d, a natural i (0 < i < |w|) and a word w, we denote by 


— move(d, i) the integer i—1 if d =— andi+1ifd=—. 
— read(w, d,i) the symbol w(i) if d =- and w(i +1) if d =>. 


Note that when switching directions (i.e. when the direction of the first part of 
the transition is different from the second part), we read twice the same letter. 
This ensures the good behavior of the stack, as reading a call letter from left to 
right pushes a stack symbol, we need to pop it if we start moving from right to 
left. 

Formally, a stack ø is a finite word over I’. The empty stack/word over I is 
denoted L. For a word w from X and a 2VPA A = (Q,qr, F, T, ô), a configuration 
k of A is a tuple (q,i,d,o) where q E€ Q, 0 < i < |w], d € D and o is a stack. A 
run of A on a word w is a finite sequence p from K(dK)*, where K is the set of 
all configurations « (that is a sequence starting and ending with a configuration 
and alternating between configurations and transitions); a run p is of the form 
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(qo, io, do, 70) 71 (q1, i1, d1, 01)T2--. Te(qe, ie, de, og) where for all 0 < j < £, we 
have: 


— either d; =— and read(w, dj, ij) € Xe or dj =— and read(w, dj, ij) € Xr, 
Tj41 = (qj, dj, read(w, dj, ij), qj+1, dj+1; 9) € §Push | ij41 = move(i;, dj) and 
Oj+1 = OY 

— either d; =< and read(w,dj,i;) € Xe or dj =— and read(w,d;,i;) € Xr, 
Tj+1 = (qj, dj, read(w, dj, ij), Y, qj+1, 441) € OPOP, ij+1 = move(i;,d;) and 
Oj+1Y = Oj 

= read(w, dj, i;) E Ji, Tj+1 = (qj, dj, read(w, dj, ij), qj+1, dj+1) € Oaa tj4i = tj 
and Oj+1 = Oj. 


Note that any configuration is actually a run on the empty word e. The initial 
configuration is (qz,0,—, L). A configuration (q,i,d,1) is final if q € F and i 
is the last position. A run for the word w is accepting if its first configuration is 
initial and its last configuration is final. A two-way visibly pushdown automaton 
A is: 


— deterministic (denoted D2VPA) if 8P“! (resp. 6P9P, d@*) is a function from 
QxDx SD (resp. Qx Dx Vx I, QxDx XY) toQx Dx T (resp. Q x D, 
Q x D). 

— one-way (denoted VPA) if all transitions in A have — for direction. 

— finite-visit if for some k > 0, any run visits at most k times the same input 
position. 


The size of a 2VPA is the number of states times the size of the stack alphabet. 
For A an automaton, we denote by L(A) the language recognized by A. 


Lemma 1 ([8]). Given a 2VPA A, deciding if L(A) is empty is ExpTime- 
complete. 


Parikh automata. Parikh automata were introduced in [22]. Informally, they 
are automata with counters that can only be incremented, and do not 
act on the transition relation. Acceptance of runs is done by evaluating 
a Presburger formula whose free variables are set to the counter values. 
In our setting, a Presburger formula is a positive formula Y(z1,..., £n) = 
Fy1..- Ym P(@1,---;2n;Y1;---;Ym) such that y is a boolean combination of atoms 
s+s' < tt, for s,s’ t,t € {0,1,a1,...,2n,y1,---, Ym}. For a set S and some 
positive number m, we denote by S™ the set of all mappings from [1...m] to 
S. If (s1,..., Sm) and (ti,...,tm) are two tuples of S™ and + is an binary oper- 
ation on S, we extend + to $™ by considering the operation element-wise, i.e. 
($1,---;8m) + (t1,-.-,tm) = (sı tt1,---,5m + tm). 


Definition 2. A two-way visibly pushdown Parikh automaton (2VPPA for 
short) is a tuple P = (A, A, ġ) where A is a 2VPA and for some natural dim, A 
is a mapping from 6 to N“™, the set of vectors of length dim of naturals and 
O(21,---,2dim) is a Presburger formula with dim free variables. 
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When clear from context, we may omit the free variables from the Presburger 
formula, and simply note ¢. A run of a 2VPPA is a run of its underlying 
2VPA. We extend canonically the mapping to runs. For a run p of the form 
(qo, 10, do, o0)T1(q1, 11, dı, 01)T2 TE Te( Qe, lg, de, oe), we set 


A(p) = ACTi) + A(T2) +... + A(Te) 


We recall that a single configuration c is a run over the empty word e. 
For such a run c, we set A(c) = 0%™., A run (qo, io, do, co)Ti(qi, i1, d1, 01) 
To... Telde, ie, de, og) is accepted if (qo, io, do, co), (qe, ie, de,Ce) are respec- 
tively an initial and a final configuration of the underlying automaton and 


for A(p) = (Nni,..., Nadim), [£1 — M1,-.--,%e — Nadim) = O(@1,.--,Ldim)- 
The language L(P) is the set of words which admit an accepting run. 
We define the set of values computed by P as Val(P) = {X(p) | 


p a valid run of the underlying automaton of P}. We define the size of P as the 
size of A plus the number of symbols in ¢ and |ô| - dim -log(W) where W is the 
maximal value occurring in the codomain of A. 

It is deterministic (resp. one-way), denoted D2VPPA (resp. VPPA) if its 
underlying automaton is deterministic (resp. one-way). It is known from [4] that 
DPA (i.e. deterministic one-way and stack-free Parikh automata in our setting) 
are strictly less expressive than their nondeterministic counterpart. As a counter 
example, they exhibit the language L = {w | wy,(w) = b}, ie all words w such 
that if n is the number of a in w, the letter at the nth position is a b. Note 
that even in the two-way case, a deterministic machine recognizing L needs to 
either have access, during the computation, to the number of a’s, or be able to 
store, in counters, the position of each b. As the first solution cannot be done 
since Parikh automata only access their counters at the end of the run, and the 
second is also impossible since there are only a finite number of counters, this 
language is also non definable by a D2VPPA, furthering the separation between 
deterministic and nondeterministic Parikh automata. 


Example 1. As an example, we give a deterministic 2VPPA P that, given an 
input i%c*i’r® with c,i,r in Xe, X; and X, respectively, accepts if k = £ and 
n = k?. The 2VPPA P uses 4 variables £p, £k, £e and y. The first 3 variables 
are used to count the number of the first block of is, the number of calls and 
the second block of is respectively. The handling of these 3 variables is straight- 
forward and can be done in a single pass over the input. The fourth variables 
y counts the multiplication k - @ and doing so is more involved. The part of the 
underlying 2VPA of P handling y is given in Fig. 2. On this part, the mapping 
A simply increments the counter on transitions going to state 2 (i.e. on reading 
the letters į from left to right). It makes as many passes on the set of internal 
symbols in state 2 as there are call symbols, and the state of the stack upon 
reading if for the jth time is 1/0*—J. Finally, the accepting formula ¢ of P is 
defined by £n = yA £k = xe. Note that this widget allows us to compute the set 
{(k?, k, k, k?) | k € N} which is not semilinear. 
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c, push(0) i| y++ 


c, push(1 i| y++ r, pop(1) 
> 
r, oe) 
(0) 
as Lo 
c, pop(1 c, pop(0) 


Fig. 2. A 2VPPA reading words ci’r* and making k passes on if, adding k - £ to the 
variable y. The transitions have two components, the first being the letter read, and 
the second being the stack operation. There is no stack operation upon reading internal 
symbols. The variable y is incremented in transitions going to state 2 only. 


As we have seen in the previous example, the set Val(P) is not necessarily 
semi-linear, even with P a D2VPPA. We use this fact to encode diophantine 
equations, and get the following undecidability result: 


Theorem 1. The emptiness problem of D2VPPA is undecidable. 


Single-useness. In order to recover decidability, we adapt to Parikh Automata 
the notion of single-useness introduced in [8]. Simply put, a 2VPPA is single-use 
(denoted 2VPPAg,) if the transitions that affect the variables can only be taken 
once on any given input position, thus effectively bounding the size of variables 
linearly with respect to the size of the input. Formally, a state p of a 2VPPA P is 
producing if there exists a transition t from p on some symbol and A(t) 4 0%. 
A 2VPPA is single-use if for every input w and every accepting run p over w, 
there do not exist two different configurations (p,i,d,a) and (p,i,d,o’) with 
p a producing state, meaning that p does not reach any position in the same 
direction twice in any given state of P. This property is a syntaxic restriction 
of the model. However, since this property is regular, it can equivalently be 
seen as a semantic one. Moreover, deciding the single-useness of a 2VPPA is 
ExpTime-c (see [8] for the same result but on transducers). Note that the Parikh 
automaton given in Example 1 is not single-use, since it passes over the second 
subword of internal letters i in state 2 as many times as there are call symbols. 
In the following, we prove that 2VPPA,, have the same expressiveness as VPPA, 
while being exponentially more succinct. In particular, this equivalence implies 
by Parikh’s Theorem [24], semi-linearity of Val(P) for any 2VPPAsu P. 


3 Emptiness Complexity 


We show that the non-emptiness problem for VPPA is NP-complete. We actu- 
ally show the upper-bound for the strictly more expressive Pushdown Parikh 
Automata (PPA), i.e. VPPA without the visibly restriction. While decidability 
was known [20,21], the precise complexity was, to the best of our knowledge, 
unknown. Let us also remark that the model and the proof are similar to the 
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proof of NP-completeness of k-reversal pushdown systems from [16]. However, 
it is adapted here to Parikh automata as well as deterministic machines, which 
was not the case in [16]. 


Theorem 2. The non-emptiness problem for VPPA and PPA is NP-complete. 
The complexity bounds hold even if the automata are deterministic, with a fixed 
dimension 2, tuples of values in {0,1}? and with a fixed Presburger formula 
(21,02) = £1 = T2. 


From 2VPPA,, to VPPA From a two-way visibly pushdown Parikh automaton 
satisfying the single-useness restriction, one can build an equivalent one-way 
visibly pushdown Parikh automaton. The construction induces an exponential 
blow-up, which cannot be avoided, as with most constructions from two-way to 
one-way machines. 


Theorem 3. For any 2VPPAs, A, one can construct a VPPA B whose size is 
at most exponential in the size of A and such that L(A)=L(B). Moreover, the 
procedure can be done in exponential time. 


Proof (Sketch). The goal is to be able to correctly guess all the transitions exactly 
taken by a run of the two-way machine at once. More precisely, the one-way 
machine guesses the behavior of the two-way machine on each well-nested sub- 
word of the input, i.e. a set of partial runs over a subword. A partial run is a pair 
from Q x {<—,—}. Informally, they describe a maximal subrun over a subword 
of the input. We call these sets of partial runs profiles, and we define relations 
C and Ner to describe compatible profiles. Formally, the relation C C P? is the 
concatenation relation, defined as set of triples (P, P’, P”) such that there exists 
a word u = uvv'ug where v and v’ are well-nested subwords of u, and a run r 
on u such that P (resp. P’) is the profile of v in r (resp. of v’) and P” is the 
profile of vv’ in r. Similarly, the relation Ne, C P? for c,r call and return letters 
respectively, is the cr-nesting relation, and defined as the set of pairs (P, P’) 
such that there exists a word u = u,curug where v is well-nested, and a run r of 
A on u such that P is the profile of v in r and P’ is the profile of cur in r. We 
prove that these relations are computable in exponential time. 

Given these relations, we can compute a VPPA B whose runs are bijective to 
the runs of A. Moreover, we can recover from a run of B which transitions are 
effectively taken at each positions by its bijective run of A. Then, the increment 
function simply does all the increments done by the run at a given position at 
once. Since the operation is the addition on integers, it is commutative and the 
variables are updated in the same way they were by the run of A. Note that 
we only recover which transitions are taken, and not how many times they are 
taken, which can depend on the size of the input. However, since A is single-use, 
we only have to add each non zero transition once, which gives the result. 


As a direct corollary of Theorems 3 and 2, we get the following. 


Corollary 1. The emptiness of 2VPPA,, can be decided in NExpTime. 
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4 NExpTime-Hardness 


In this section, we show that the problem of deciding whether the language of 
a 2VPPA,, is non-empty is hard for NExpTime. Moreover, we show that this 
hardness does not depend on the fact that we have taken existential Presburger 
formulas, nor on the vector dimensions, and nor on the fact that the values in 
the tuples are encoded in binary. 


Theorem 4. The non-emptiness problem for 2VPPAs, is NExpTime-hard. The 
result holds even if the automaton is deterministic, of dimension 2, with counter 
updates in {0,1}, the Presburger formula is 6(a1, £2) = z1 = z2, and it is finite- 
visit. 


Succinct Subset Sum Problem. We reduce to the succinct subset sum prob- 
lem (SSSP), which is NExpTime-hard [16]. Let us define SSSP. Let m,k > 1, 
X = {z1,..., £k} and Y = {y1,..., Ym} be sets of Boolean variables. Let 6 be 
a Boolean formula over X UY. Any word v € {0,1}*+™ naturally defines a 
valuation of X UY (the first bit of v is the value of xı, etc.). We denote by 
Ov] € {0,1} the truth value of 0 under the valuation v. The formula 0 defines 
2* non-negative integers a1, ..., ax each with 2” bits, as follows: 


ai = O[bsdy].2?" —1 + O[bidg].27"—? + --- + O[bsdom].2° 


where b; is the binary encoding over k bits of i, and d,,...,dgm is the lex- 
icographic enumeration of {0,1}, starting from 0”. Note that for all i € 
{1,...,2"}, a; € {0,...,2?" — 1}. The Succinct Subset Sum Problem asks, given 
X,Y and 0, whether there exists J C {1,...,2* — 1} such that Xjes aj = Age. 


Overview of the construction and encoding the values a;. Given an instance of 
SSSP Z, our goal is to construct a D2VPPAsu P = (C, p, ġ) of dimension 2 such 
that |P| is polynomial in |0| + k +m and L(P) # Ø iff Z has a solution. 

The main idea is to ensure that L(C) = {X1e1... Xgx_yegr_1# ear | Xi € 
{0,1}} where the X; are internal symbols which are used to encode a subset 
J C {i,...,2* — 1}, and each e; is an encoding of a;, defined later, over some 
alphabet containing the symbol 1, and such that the number of occurrences of 
in e; is a;. In other words, e; somehow encodes a; in unary. For the vector part, 
the machine P, when running over X;e;, updates its dimensions depending on 
two cases: (1) if X; = 1 (“put value a; in J”), then any transition reading 
has weight (1,0) and any other transition has weight (0,0), (2) if X; = 0, then 
every transition has weight (0,0). So, if X; = 1, the value in the first dimension 
after processing X;e; has been incremented by a;. Similarly, when processing 
#eəx, any transition reading 1 increments the 2nd dimension by 1, so that after 
processing #e x, this dimension has value asx. The formula (z1, £2) then only 
requires equality of zı and z2, ie. (£1, £2) = T1 = T2. 

We now explain how to encode a; by a well-nested word e;. Due to the finite- 
visit restriction, every incremental transition can be triggered at most once for 
each input position. Since the value a; is possibly doubly exponential in m and 
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Fig. 3. On the left, the automaton A;, for i < m. On the right, the automaton Am. 


we are allowed to have a polynomial number of transitions (in |0| + k + m), 
necessarily e; must be of doubly exponential length. The main idea is to use 
the stack and the two-wayness to recognise with a polynomial number of states 
well-nested words which are of doubly exponential length. We need a series of 
intermediate lemmas to achieve this idea. We start with a useful result about 
intersection of finite automata, here reversible finite automata (deterministic 
and backward deterministic). Let X = {1,...,m} and let us define recursively 
the sequence of words (wi)o<i<m € X* as follows: uo = 1, u; = Ui—1iUi—1 for 
1<i< m and um = Um—1MUm_1mM. 


Lemma 2. The word um has length 2™, and there exist m reversible finite 
automata Ao,..., Am (Fig. 3) such that (i) each A; has O(1) states, and (ii) 


Ni L(Ai) = {um}. 


Encoding of the values a;. The idea is to define a well-nested word e; over 
an alphabet of call symbols Xe = {c1,...,Cm}, an alphabet of return symbols 
Xr = {r1,---;7m} and an alphabet of internal symbols X, = {0,1,1,0}. The 
number of occurrences of 1 in e; will be exactly a;, i.e. #1(e;) = a; and hence, 
the Parikh automaton will just have to count the number of 1 occurrences. Let 
us remind the reader that a; is actually given by 0, and therefore, the automaton 
P will somehow have to evaluate 0 for valuations of its variables that will be 
contained in e;. Let us now define the words e;. For that, we call a binary 
tree either an internal symbol 1,0, or a well-nested word of the form cjtıtərj 
where t,t, are themselves binary trees. For a well-nested word of the form 
cwr, a root-to-leaf branch m is a sequence of calls z1... £n such that cwr = 
LW LAW... EnWn nW, Tn—-1Wh 1 ---r2wW5r1 where x1 = c, rı =r and for some 
wi, w, well-nested words such that wn contains only internal symbols. The height 
of a binary tree t is the maximal length of a root-to-leaf branch, and it is complete 
if all root-to-leaf branches have the same length. Note that the number of internal 
symbols of a complete binary tree of height n is 2”. 

Then, e; is the well-nested word defined by e; = cj biditic;, bidate ... Cjam 
bidom tomT jom -fji where 


1. the words t; are binary trees 

2. every root-to-leaf branch 7 = Ci, ...ci, Of e; satisfies i] ... ig = Um 

3. b; € {0,1}* and d1,...,dəm is a lexicographic enumeration of {0,1} (start- 
ing from 0%) 

4. for all j, all internal symbols occurring in tj are 1 if 6[b;d;] = 1, O otherwise. 
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Our goal is now to prove that e; is a correct encoding of a;i. 


Lemma 3. For alli € {1,...,2*}, #2(e:) = ai, where #1(e;) denotes the num- 
ber of occurrences of 1 in ei. 


Proof. By Condition 2, every root-to-leaf branch of e; has length 2”. There- 
fore, for all j € {1,...,2’"}, every root-to-leaf branch in t; has length 2” — j. 
In particular, təm does not contain any call symbol. Hence all the trees tj 
are complete binary trees of height 2” — j. So, every t; has 2?”~/ inter- 
nal symbols and by Condition 4, we get #1(t;) = 6@[bidj].2?"—J. Therefore, 


#1(e:) = 03", Halts) = Oj Olbid,].2?" 9 = ay. 


Note that Condition 3 was not used in the previous proof, but it will be useful 
to define a succinct D2VPA recognising e;. The key result is the following. It 
states the existence of a succinct D2VPA which recognises exactly the candidate 
solutions to SSSP. 


Lemma 4. One can construct a D2VPA B such that B has polynomially many 
states in |0|+k+m and L(B) = {X161 . .. Xor_1eox_1#eox | X; € {0,1}}. 


Proof (Sketch). First, we show the existence of a D2VPA A with polynomially 
many states in |0|-+k-+m such that L(A) = {e; | i € {1,...,2*}} (Proposition ?? 
in Appendix). The main idea is to construct succinct D2VPA which check each 
of the conditions 1 to 4 of the definition of the encoding independently, and then 
to take their intersection (by running the first, then the second, etc.). Condition 
1 is easy to check. For condition 2, we rely on Lemma 2, and run sequentially the 
automata A; (in m passes) to check independently that for all i, each root-to-leaf 
branch has a sequence of indices that belongs to A;. Thanks to the reversibility 
of A;, it is possible when going upward in the tree, to recover the previous state 
of A;. For condition 3, we rely on the two-wayness to check that a sequence of 
m bits is a successor of another sequence succinctly, by doing O(m) passes over 
the two successor vectors. The stack is not necessary there. For condition 4, we 
rely on the existence of a succinct 2DFA which accepts all the valuations that 
satisfy a given Boolean formula. 


We can finally construct the D2VPPAsu P = (C,p,) of dimension 2 whose 
language is non-empty iff the SSSP instance Z has a solution. The automaton C 
performs a first pass on the whole word by running the automaton B of Lemma 4, 
to check that the input is of the form X,e1 ...Xge_1e9%_1#€ 9x. During this pass, 
no vector dimension is incremented. During a second pass, C, when reading some 
X; = 1, it goes to some state qı from which it increments the Ist dimension 
whenever 1 is read (all other transitions have value (0,0)). When reading some 
Xi41, it stays in qı if X;4, = 1 or to q otherwise, from which no transition 
touches the counters. When reading #, it goes to a state from which it increments 
only the 2nd dimension on reading 1. Note that this automaton is single-use: 
any symbol 1 occurring in the whole input word is counted at most once. It 
is even finite-visit (each position is visited O(m + k + |0|) times). Finally, one 
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only needs to check whether the first dimension equals the second one, using a 
formula ¢(21, £2) = zı = z2. Note that the following lemma proves Theorem 4, 
since SSSP is NExpTime-c. 


Lemma 5. Given an instance X,Y,0 of SSSP, one can construct a D2VPPAgy 
P of polynomial size in |0| + |X| + |Y| such that L(P) 4 Ø iff SSSP has a 


solution. 


5 Applications to Decision Problems for Nested Word 
Transducers 


In this section, we give two applications of 2VPPA, namely on decision problems 
for two-way visibly pushdown transducers (2VPT). 2VPT were introduced in [8] 
as a model to define transductions from well-nested words to words, or, modulo 
tree linearisation, from tree to words. It was shown that they can express, even in 
their deterministic and single-use version, all functions from well-nested words to 
words definable in MSOT, in the sense of Courcelle [6], while having decidable 
equivalence problem. No upper bound was provided however. Using 2VPPA, 
we show that the equivalence of 2VPT,, defining functions can be tested in 
NExpTime. We also consider other standard problems from transducer theory 
and show, again using 2VPPA, their decidability. First, let us define formally 
2VPT. 

A two-way visibly pushdown transducer (2VPT for short) is a pair (A, u) 
where A is a 2VPA and pu is a morphism from the sequences of transitions 6* to 
some output alphabet [*. A run of a 2VPT is a run of its underlying 2VPA. The 
output of a run p of the form (qo, io, do, 00) T1(q1, i1, d1, 01)T2--- Te( Qe, ie, de, ce) 
is (71...7¢). A run is accepted if it is accepted by its underlying automaton. The 
transduction defined by a 2VPT is the set of pairs (u, v) such that v is the output 
of some accepting run on u. A state p of a 2VPT is producing if there exists a 
transition 7 such that p is the first component of r and p(T) Æ €. Similarly to 
Parikh automata, a 2VPT T is single-use (denoted 2VPTsu) if for any valid run 
of T, we do not reach the same position twice in the same producing state. It is 
deterministic, denoted D2VPT, if its underlying automaton is deterministic. 


Deciding the k-valuedness and equivalence problems. For any positive integer k, 
we say that a transducer is k-valued if all input word have at most k different 
outputs. In particular, it is 1-valued if it defines a (partial) function, and also 
called functional in that case. 


Theorem 5. Let T be a 2VPT.u, and k an integer. Then the k-valuedness of T 
can be decided in NExpTime. It is also ExpTime-hard. 


The theorem is proved by reducing the k-valuedness of T to the emptiness of 
a 2VPPA., P that guesses k + 1 runs of T that produce k + 1 different outputs. 
To ensure that the output are different, during each run P guesses, and stores 
in counters, k output positions and the letters produced at these positions. The 
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formula of P at the end simply checks, for each pairs of runs, that the same posi- 
tions were guessed by both runs, and that the letters were different, ensuring 
that the guessed runs have different output pairwise. As two functional trans- 
ducers are equivalent if they have the same domain and their union is 1-valued, 
we get the following corollary. 


Corollary 2. The equivalence of two functional 2VPT., T and T’ can be decided 
in NExpTime. It is also ExpTime-hard. 


The NexpTime complexity of equivalence of tree to string transducers was 
already established for Streaming Tree to string transducers (STST), introduced 
in [1]. However, the conversion between the 2VPT., and STST yields an expo- 
nential blow-up. 

We can generalize Corollary 2 to strictly k-valued transducers. We say that 
a transducer T is strictly k-valued if each input word in the domain of T has 
exactly k different images. Then similarly to the previous corollary, two strictly 
k-valued transducers are equivalent if, and only if, they have same domain and 
their union is k-valued. 


Corollary 3. The equivalence of two strictly k-valued 2VPT., T and T’ can be 
decided in NExpTime. It is also ExpTime-hard. 


Strict k-valuedness is however an undecidable property (this can be shown by 
using the Post correspondence problem), even for k = 2. Deciding the equivalence 
problem for k-valued 2VPTsu (which are not necessarily strictly k-valued) is open 
already in the stack-less case, and a (very) particular case has been solved in 
[14]. 


Type-checking against Parikh properties. Given a 2VPT T, it might be desirable 
to check some properties of the output words it produces, i.e., for a language L, 
whether the codomain of T is included in L. Formally, the type-checking problem 
asks, given a transducer T and a language L, whether T(X*) C L. Unfortunately, 
this problem is undecidable when L is given by a visibly pushdown automaton 
(and T is a VPT) [13]. Nevertheless, we show that the type-checking problem is 
decidable when T is a 2VPT., and L is the complement of the language given 
by a (stack-less) Parikh Automaton. As a consequence, we are able to decide 
whether a 2VPT., T produces only well-nested words, i.e. if the output alphabet 
of T is structured and for every input word u and any v € T(u), v is a well-nested 
word. 


Theorem 6. Let T be a 2VPTg and P be a (stack-free) Parikh Automaton 
over the output alphabet of T. Then we can decide whether T(X*) O L(P) = 0 
in NExpTime. It is also ExpTime-hard. 


This is done by constructing a 2VPPA,, P’ which simulates T, and instead 
of producing letters, simulates P on the output of T. A word w on a structured 
alphabet X is not well-nested if either |w|. 4 |w|,, ie. the number of call letters 
is not equal to the number of return letters, or if there exists a prefix u of w 
such that |u|. < |u|,. As this can be checked by a (non-deterministic) Parikh 
automata, we get the following corollary. 
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Corollary 4. Let T be a 2VPT sy whose output alphabet is structured. It can be 
decided in CoNExpTime whether T only produces well-nested words. 
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Abstract. We study the Horn theories of Kleene algebras and star con- 
tinuous Kleene algebras, from the complexity point of view. While their 
equational theories coincide and are PSPACE-complete, their Horn theo- 
ries differ and are undecidable. We characterise the Horn theory of star 
continuous Kleene algebras in terms of downward closed languages and 
we show that when restricting the shape of allowed hypotheses, the prob- 
lems lie in various levels of the arithmetical or analytical hierarchy. We 
also answer a question posed by Cohen about hypotheses of the form 
1=S where S is a sum of letters: we show that it is decidable. 


Keywords: Kleene algebra - Hypotheses - Horn theory - Complexity 


1 Introduction 


Kleene algebras [6,10] are idempotent semirings equipped with a unary operation 
star such that x* intuitively corresponds to the sum of all powers of x. They 
admit several models which are important in practice: formal languages, where 
L* is the Kleene star of a language L; binary relations, where R* is the reflexive 
transitive closure of a relation R; matrices over various semirings, where M* can 
be used to perform flow analysis. 

A fundamental result is that their equational theory is decidable, and actually 
PSPACE-complete. This follows from a completeness result which was proved 
independently by Kozen [11] and Krob [17] and Boffa [3], and the fact that 
checking language equivalence of two regular expressions is PSPACE-complete: 
given two regular expressions, we have 


KAFe<f iff [e]c [f] 


(where KA F e < f denotes provability from Kleene algebra axioms, and [e] is 
the language of a regular expression e). 
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Because of their interpretation in the algebra of binary relations, Kleene 
algebras and their extensions have been used to reason abstractly about program 
correctness [1,2,9,12,15]. For instance, if two programs can be abstracted into 
two relational expressions (R*;S')* and ((RUS)*;S)=, then we can deduce that 
these programs are equivalent by checking that the regular expression (a*b)* 
and (a+ b)*b+1 denote the same language. This technique made it possible to 
automate reasoning steps in proof assistants [4, 16,19]. 

In such a scenario, one often has to reason under assumptions. For instance, 
if we can abstract our programs into relational expressions (R+S)* and S*; R*, 
then we can deduce algebraically that the starting programs are equal if we 
know that R;S = R (i.e., that S is a no-op when executed after R). When 
doing so, we move from the equational theory of Kleene algebras to their Horn 
theory: we want to know whether a given set of equations, the hypotheses, entails 
another equation in all Kleene algebras. Unfortunately, this theory is undecidable 
in general [13]. In this paper, we continue the work initiated by Cohen [5] and 
pursued by Kozen [13], by characterising the precise complexity of new subclasses 
of this general problem. 

A few cases have been shown to be decidable in the literature, when we 
restrict the form of the hypotheses: 


— when they are of the form e = 0 [5], 

— when they are of the form a < 1 for a a letter [5], 

— when they are of the form 1 = w or a = w for a a letter and w a word, 
provided that those equations seen as a word rewriting system satisfy certain 
properties [14,18]; this includes equations like idempotency (x = xz) or self- 
invertibility (1 = xz). 


(In the first two cases, the complexity can be shown to remain in PSPACE.) 
We add one positive case, which was listed as open by Cohen [5], and which is 
typically useful to express that a certain number of predicates cover all cases: 


— when hypotheses are of the form S = 1 for S a sum of letters. 


Conversely, Kozen also studied the precise complexity of various undecidable 
sub-classes of the problem [13]. For those, one has to be careful about the precise 
definition of Kleene algebras. Indeed, these only form a quasi-variety (their def- 
inition involves two implications), and one often consider *-continuous Kleene 
algebras [6], which additionally satisfy an infinitary implication (We define these 
formally in Sect. 2). While the equational theory of Kleene algebras coincides 
with that of *-continuous Kleene algebras, this is not the case for their Horn 
theories: there exist Horn sentences which are valid in all *-continuous Kleene 
algebras but not in all Kleene algebras. 

Kozen [13] showed for instance that when hypotheses are of the form pq = qp 
for pairs of letters (p, q), then validity of an implication in all *-continuous Kleene 
algebras is J7?-complete, while it is only known to be EXPSPACE-hard for plain 
Kleene algebras. In fact, for plain Kleene algebras, the only known negative 
result is that the problem is undecidable for hypotheses of the form u = v for 
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l=) a a< ob a< w a<g 
KAg F u < f|Decidable[EXPTIME — complete] —complete] >" Mp 
KAņ F e < f|Decidable Undecidable xj —compl ) ymplete 
KA% H u < f|Decidable)EXPTIME — complete] ©?—complete|/7{—complete 
KA}, F e< f|Decidable IT? —complete ITS —complete| HF —complete 


Fig. 1. Summary of the main results. 


pairs (u,v) of words (Kleene star plays no role in this undecidability result: this 
is just the word problem). We show that it is already undecidable, and in fact 
X?-complete when hypotheses are of the form a < S where a is a letter and S is 
a sum of letters. We use a similar encoding as in [13] to relate the Horn theories 
of KA and KA* to runs of Turing Machines and alternating linearly bounded 
automata. This allows us to show that deciding whether an inequality w < f 
holds where w is a word, in presence of sum-of-letters hypotheses, is EXPTIME- 
complete. We also refine the I7}-completeness result obtained in [13] for general 
hypotheses, by showing that hypotheses of the form a < g where a is a letter 
already make the problem J7}-complete. 

The key notion we define and exploit in this paper is the following: given a set 
H of equations, and given a language L, write cly(L) for the smallest language 
containing L such that for all hypotheses (e < f) € H and all words u,v, 


if ulfljuCely(L) then uļeļv Ccly(Z) . 


This notion makes it possible to characterise the Horn theory of +-continuous 
Kleene algebras, and to approximate that of Kleene algebras: we have 


KAyke<f > KAybKe<f © [e] Cclx(([f]) 


where KAp H e < f (resp. KA{ H e < f) denotes provability in Kleene algebra 
(resp. «continuous Kleene algebra). We study downward closed languages and 
prove the above characterisation in Sect. 3. 

The first implication can be strengthened into an equivalence in a few cases, 
for instance when the regular expression e and the right-hand sides of all hypothe- 
ses denote finite languages, or when hypotheses have the form 1 = S for S a 
sum of letters. We obtain decidability in those cases (Sect. 4). 

Then we focus on cases where hypotheses are of the form a < e for a a 
letter, and we show that most problems are already undecidable there. We do 
so by exploiting the characterisation in terms of downward closed languages to 
provide encodings of various undecidable problems on Turing machines, total 
Turing machines, and linearly bounded automata (Sect. 5). 

We summarise our results in Fig. 1. The top of each column restricts the 
type of allowed hypotheses. Variables e, f stand for general expressions, u, w for 
words, and a,b for letters. Grayed statements are implied by non-grayed ones. 
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Notations. We let a,b range over the letters of a finite alphabet X. We let u, v, w 
range over the words over X, whose set is written X*. We write e for the empty 
word; uv for the concatenation of two words u, v; |w| for the length of a word w. 
We write X+ for the set of non-empty words. We let e, f, g range over the regular 
expressions over X, whose set is written Expy. We write [e] for the language of 
such a an expression e: |e] C X*. We sometimes implicitly regard a word as a 
regular expression. If X is a set, P(X) (resp. Pan(X)) is the set of its subsets 
(resp. finite subsets) and |X| for its cardinality. 

A long version of this extended abstract is available on HAL [8], with most 
proofs in appendix. 


2 The Systems KA and KA* 


Definition 1 (KA, KA*). A Kleene algebra is a tuple (M,0,1,+,-,*) where 
(M,0,1,+,-) is an idempotent semiring and the following axioms and impli- 
cations, where the partial order < is defined by x < y if x +y = y, hold for all 
x,y E M. 


1 + gxr“ < r“ zy <y => wy<y 


l+r*r<zr yz Ly => ya* <y 


A Kleene algebra is x-continuous if it satisfies the following implication: 


(Vi € N, zy’z < t) > ay*z<t 


A hypothesis is an inequation of the form e < f, where e and f are regular 
expressions. If H is a set of hypotheses, and e, f are regular expressions, we 
write KAy H e< f (resp. KA, +} e< f) ife < f is derivable from the axioms 
and implications of KA (resp. KA*) as well as the hypotheses from H. We omit 
the subscript when H is empty. 


Note that the letters appearing in the hypotheses are constants: they are not 
universally quantified. In particular if H = {aa < a}, we may deduce KAq + 
a* <a but not KAg F b* < b. 

Languages over the alphabet X form a *-continuous Kleene algebra, as well 
as binary relations over an arbitrary set. 

In absence of hypotheses, provability in KA is coincides with provability in 
KA* and with language inclusion: 


Theorem 1 (Kozen [11]). 


KAFke<f © KA*bte<f © [el C[f] 
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We will classify the theories based on the shape of hypotheses we allow; we 
list them below (J is a finite non-empty set): 


Name of the hypothesis Its shape 
(1 = oz) — hypothesis 1= J ;er@i where a, € SY 
(w < >> w) — hypothesis v < ier %i where v, v; E X* 
(x < $` w) — hypothesis a <J iceri where a€ X,v; € X“ 
(x < X` x) — hypothesis a < J iicrai where a,a; E X 
(1 < $ x) — hypothesis 1< J ierai where a, EX 
(x < 1) — hypothesis a<l where aces 


We call letter hypotheses any class of hypotheses where the left-hand side is 
a letter (the last four ones). In the rest of the paper, we study the following 
problem from a complexity point of view: given a set of C-hypotheses H, where 
C is one of the classes listed above, and two expressions e, f € Exps, can we 
decide whether KAy F e < f (resp. KAZ, H e < f) holds? We call it the problem 
of deciding KA (resp. KA*) under C-hypotheses. 


3 Closure of Regular Languages 


It is known that provability in KA and KA* can be characterised by language 
inclusions (Theorem 1). In the presence of hypotheses, this is not the case any- 
more: we need to take the hypotheses into account in the semantics. We do so 
by using the following notion of downward closure of a language. 


3.1 Definition of the Closure 


Definition 2 (H-closure). Let H be a set of hypotheses and L C X* be a 
language. The H-closure of L, denoted cly(L), is the smallest language K such 
that LC K and for all hypotheses e < f € H and all words u,v € X*, we have 


ulflv CC > ulelu C K 


Alternatively, cly (L) can be defined as the least fixed point of the function 
oL : P(X") > P(X") defined by ¢L(X) = LUwvy(X), where 


ba(X)= [J {ulelv| u,v € £*,ulflu € X}. 
(e<f)EH 


Example 1. If H = {ab < ba} then cly([b*a*]) = [(a + b)*], while cly([a*b*]) = 
[a*b*]. 
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In order to manipulate closures more conveniently, we introduce a syntactic 
object witnessing membership in a closure: derivation trees. 


Definition 3. Let H be a set of hypotheses and L a regular language. We define 
an infinitely branching proof system related to cly(L), where statements are regu- 
lar expressions, and rules are the following, called respectively axiom, extension, 
and hypothesis: 


L (U) we fe] ufv 
u “ e wwu 


weéfle],e< fed 


We write FH, e if e is derivable in this proof system, i.e. if there is a well- 
founded tree using these rules, with root e and all leaves labelled by words in L. 
Such a tree will be called a derivation tree for [e] C cla(L) (or e € cly(L) ife 
is a word). 


Example 2. The following derivation is a derivation tree for bababa € cly([b*a*]), 
where H = {ab < ba}. 


bbbaaa 
bbabaa 
bbaaba 
bababa 
Derivation trees witness membership to the closure as shown by the following 
proposition. 
Proposition 1. |e] Ccly(L) iff Fare. 
(See [8, App. A] for a proof.) 


3.2 Properties of the Closure Operator 


We summarise in this section some useful properties of the closure. Lemma 1 
shows in particular that the closure is idempotent, monotonic (both for the set 
of hypotheses and its language argument) and invariant by context application. 
Lemma 2 shows that internal closure operators can be removed in the evaluation 
of regular expressions. Those two lemmas are proved in [8, App. A]. 


Lemma 1. Let A,B,U,V C X*. We have 


. AC B implies cly(A) C cla(B) 

H C H' implies cly(A) C cla (A) 

. cly(A) C cly(B) if and only if A C cly(B). 
. AC cly(B) implies UAV C clay (UBV). 


Lemma 2. Let A,B C X*, then 


1. cly(A+ B) = cly (cla (A) + cla(B)), 
2. cly(AB) = cl (cly (A)cla(B)), 
3. cly(A*) = cly (cla(A)*) 


DnA w 


Kleene Algebra with Hypotheses 213 


3.3 Relating Closure and Provability in KAq and KA% 


We show that provability in KA* can be characterized by closure inclusions. In 
KA, provability implies closure inclusions but the converse is not true in general. 


Theorem 2. Let H be a set of hypotheses and e, f be two regular expressions. 
KAqke<f > KA; Fe<f = le] C cla ([f]) 


Proof. Let CRegy s» = {cla (L) | L € Regy}, on which we define the following 
operations: 


X@Y =cdyay(X +Y) XOY =cly(X -Y) X® = ¢lp(X*). 


We define the closure model Fy. 5 = (CReg y 5, 0, {°},8,0, 8). 
We write < for the inequality induced by @ in Fys: X <YifX @Y =Y. 


Lemma 3. Fy,5 = (CRegy 5,0, {€}, 8, ©, ®) is a *-continuous Kleene algebra. 
The inequality < of Fy,» coincides with inclusion of languages. 


Proof. By Lemma 2, the function cly : (P(X*), +,- *) > (CReg y x, ®, ©, ®) is 
a homomorphism. We show that F'y7,5 is a *-continuous Kleene algebra. First, 
identities of Lang; = (P(*),+,-,*) are propagated through the morphism 
cly, so only Horn formulas defining «continuous Kleene algebras remain to 
be verified. It suffices to prove that Fy,» satisfies the *-continuity implication, 
because the implication ry < y — x*y < y and its dual can be deduced from 
it. Let A,B,C € Fy.» such that for all i € N, AO BOC < D, where 
BË = BO. OB. By Lemma2, A © BË? oC = cly(AB'C), so we have 
cly(AB'C) < D, and in particular ABC < D for all i. By *-continuity of 
Langs, we obtain AB*C < D. By Lemma 1 and using D = cly (D), we obtain 
cly(AB*C) < D and finally by Lemma 2, A © B® © C < D. This achieves the 
proof that Fy,x is a *-continuous Kleene algebra. 

Let A, B € CRegy 5. We have A < B & A9 B= B & cly(A + B)=B& 
A C B. Finally, if e < f is a hypothesis from H, then we have cly fe] C cla ([f]), 
so the hypothesis is verified in Fy». 


The implications KA) Fe< f = fe] C cly(f) follow from the fact that if 
an inequation e < f is derivable in KAy (resp. KAj,) then it is true in every 
model, in particular in the model Fy», thus cly([e]) C cla([f]) or, equivalently. 
[e] Clu ([f)). 

Let us prove that for any regular expressions e, f, if [e] C cly([f]) then 
KAi; | e< f. Let e, f be two such expressions and let T be a derivation tree 
for |e] C cla ([f]), i.e. witnessing Fa, e < f. We show that we can transform 
this tree T into a proof tree in KA}. The extension rule is an occurrence of [8, 
App. A, Lem. 12]. Finally, the hypothesis rule is also provable in KAj,, using 
the hypothesis e < f together with compatibility of < with concatenation, and 
completeness of KA* for membership of u € [e]. We can therefore build from the 
tree T a proof in KA}, witnessing KAj, F e < f. 

When we restrict the shape of the expression e to words, and hypotheses to 
(w < >> w)-hypotheses, we get the implication missing from Theorem 2. 
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Proposition 2. Let H be a set of (w < X` w)-hypotheses, w € &* and f € 
Expy. 
KAytws< f < w € cla ([f]) 


Proof. Let us show that w € cly ([f]) implies KAg F w < f. We proceed by 
induction on the height of a derivation tree for w € cly ([f]). If this tree is just 
a leaf, then w € [f] and by Theorem1 KA F w < f. Otherwise, this derivation 
starts with the following steps: 


(uow), 


T w<; wic H 


Our inductive assumption is that KAp F uw;v < f for all i, thus KAg F 
do, uw < f. We also have KAqy F w < (X; wi) hence KA F w < f by 
distributivity. 


4 Decidability of KA and KA* with (1 = ` x)-Hypotheses 


In this section, we answer positively the decidability problem of KAy, where H 
is a set of (1 = 5) x)-hypotheses, posed by Cohen [5]: 


Theorem 3. If H is a set of (1 = >> x)-hypotheses, then KAy is decidable. 
To prove this theorem we show that in the case of (1 = X` x)-hypotheses: 


(P1) KAq Fe < f if and only if [e] C cla([f]). 
(P2) cla([f]) is regular and we can compute effectively an expression for it. 


Decidability of KAy follows immediately from (P1) and (P2), since it amounts 
to checking language inclusion for two regular expressions. 
To show (P1) and (P2), it is enough to prove the following result: 


Theorem 4. Let H be a set of (1 = >>x)-hypotheses and let f be a regular 
expression. The language cly([f]) is regular and we can compute effectively an 
expression c such that |c] = cly([f]) and KAn Fc< f. 


(P2) follows immediately from Theorem 4. To show (P1), it is enough to prove 
that |e] C cla ([f]) implies KAw H e < f, since the other implication is always 
true (Theorem 2). Let e, f such that [e] C cly([f]). If c is the expression given 
by Theorem 4, we have KAy | c < f and [e] C [c] so by Theorem1 KAF e< c, 
and this concludes the proof. 

To prove Theorem 4, we first show that the closure of (1 = X- x)-hypotheses 
can be decomposed into the closure of (x < 1)-hypotheses followed by the closure 
of (1 < X` a)-hypotheses: 


Proposition 3 (Decomposition result). Let H = {1=S; | j € J} be a set 
of (1 = >> x)-hypotheses. 

We set Hsum = {1 < S} | j E€ J} and Hig = {a < 1 |a € [S;], j € J}. For 
every language L C X*, we have cly(L) = cluy,,,, (cli,,(L)). 
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Sketch. We show that rules from Hiq can be locally permuted with rules of 
A um in a derivation tree. This allows to compute a derivation tree where all 
rules from Hjg occur after (i.e. closer to leaves than) rules from Hum- 


Now, we will show results similar to Theorem 4, but which apply to (x < 1)- 
hypotheses and (1 < X` 2)-hypotheses (Propositions 5 and 6 below). To prove 
Theorem 4, the idea is to decompose H into Hig and Hsum using the decom- 
position property Proposition 3, then applying Propositions 5 and 6 to Hiq and 
Hum respectively. 

To show these two propositions, we make use of a result from [7]: 


Definition 4. Let A = (Q,A,1,F) be an NFA, H be a set of hypotheses and 
p : Q — Expy a function from states to expressions. We say that p is H- 
compatible with A if: 


- KAq F 1 < y(q) whenever q € F, 
- KAq F ay(r) < (q) for all transitions (q,a,r) € A. 


We set p^ = y(t). 


Proposition 4 ([7]). Let A be a NFA, H be a set of hypothesis and p be a 
function H-compatible with A. We can construct a regular expression fa such 
that: 

[fal = [A] and KAnt fa < 9% 


Proposition 5. Let H be a set of (x < 1)-hypotheses and let f be a regular 
expression. The language cly([f]) is regular and we can compute effectively an 
expression c such that |c] =cly([f]) and KAn EF c< f. 


Proof. Let K = cly([f]) and F = {a | (a < 1) € H}, we show that K is regular. 
If Ais a NFA for f, a NFA A;q recognizing K can be built from A by adding a 
I’-labelled loop on every state. It is straightforward to verify that the resulting 
NFA recognizes K, by allowing to ignore any letter from I’. 

For every q € Q, let fq be a regular expression such that [f4] = [g].4, where 
lq] a denotes the language accepted from q in A. Let y : Q — Exps which maps 
each state q of Ajg (which is also a state of A) to y(q) = fq. Let us show that ¢ is 
H-compatible with A. If q € F, then 1 € [fg], so by completeness of KA, we have 
KAF 1< fg. Let (p,a,q) be a transition of A;a. Either (p,a,q) E€ A, in which 
case we have a[f4] C [fp], and so by Theorem1 KA F af, < fp. Or p = q (this 
transition is a loop that we added). Then KAq | a < 1, so KAy F afp < fp, 
and this concludes the proof. 

By Proposition 4, we can now construct a regular expression c which satisfies 
the desired properties. 


Definition 5. Let I’ be a set of letters. A language L is said to be I’-closed if: 
Vu,ve * Vae T wel > uav € L 


If H = {1 < S; | i € I} is a set of (1 < X` x)-hypotheses, we say that a 
language L is H-closed if if it is '-closed where I = Uier [Si]. 
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Remark 1. If H is a set of (a < 1)-hypothesis, and I = {a | (a < 1) € H}, then 
cly(ZL) is T-closed for every language L. 


Proposition 6. Let H be a set of (1 < X` x)-hypotheses and let f be a regular 
expression whose language is H-closed. The language cly([f]) is regular and we 
can compute effectively an expression c such that |c] = cly([f]) and KAy F c< f. 


Proof. We set L = [f], H = {1 < Sj |j € J} and F = {a | ae [S;], j € J}. 


Let us show that cla (L) is regular. The idea is to construct a set of words 
Ly, where each word uy is obtained from a word u of cly (L), by adding at the 
position where a rule (1 < S;) is applied in the derivation tree for cly(L) F u, a 
new symbol {;. We will show that this set satisfies the two following properties: 


— cly(ZL) is obtained from Ly by erasing the symbols {;. 
— Ly is regular. 


Since the operation that erases letters preserves regularity, we obtain as a corol- 
lary that cly(Z) is regular. 

Let us now introduce more precisely the language Ly and show the properties 
that it satisfies. Let ©} = {f; | j € J} be a set of new letters and X} = X U O} 
be the alphabet X enriched with these new letters. 

We define the function exp : Xy — P(X) that expands every letter f; into 
the sum of the letters corresponding to its rule in H as follows: 


exp(a) =a ifae X 
emp(tj)={alae[Sj]} weet 


This function can naturally be extended to exp : (X})* > P(X*). 
If LC X*, we define Ly C (L}4)* as follows: 


Ly = exp~!(P(L)) = {u € (34)* | eap(u) © L} 


We define the morphism m : (X)* — &* that erases the letters from ©, as 
follows: m(a) = a if a € X and a(t;) = e for all j € J. Our goal is to prove 
that cly(L) = 7(Ly) and that Ly is regular. To prove the first part, we need an 
alternative presentation of Ly as the closure of a new set of hypotheses Hy which 
we define as follows: 


Ay = {ty < S| j E€ J} U Cy S17 EJ} 
Lemma 4. We have Ly = cly,(L). In particular Ly is Oy-closed. 
See App. B for a detailed proof of Lemma 4. 


Lemma 5. cly(L) = 7(Ly). 
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Proof. If u € m(Ly), let v € Ly such that u = x(v). By Lemma4, there is a 
derivation tree T, for v € cly,(L). Erasing all occurrences of {; in T, yields a 
derivation tree for u € cly(ZL). 

Conversely, if u € cly(Z) is witnessed by some derivation tree Tu, we show 
by induction on T, that there exists v € Ly ~'(u). If Tu is a single leaf, we 
have u € L, and therefore it suffices to take v = u. 

Otherwise, the rule applied at the root of T, partitions u into u = wz, and has 
premises {wbz | b € [5;]} for some j € J and w, z € X*. By induction hypothesis, 
for all b € [Sj], there is vp € Ly N a~*(wbz). Let w = wi... Wn and z = 21... Zm 
be the decompositions of w, z into letters of X. By definition of 7, for all b € [5], 
vp can be written vp = Qb 1W1Qb,2W2 -.. WnAb nDAb n+1210b,n+2 +++ ZmQb, n+m+3, 
with apo... b,n4+m+3 € (Oy)*. For each k € [0,n +m +3], let ax = Myeps,]a0,k- 
Let w = agw1Q1,...WnQn41 and 2 = An42210n43---2mAnt+m+3- By Lemma 4, 
Ly is Oy-closed, so for each b € [5;] the word v, = w'bz’ is in Ly, since v, is 
obtained from v, by adding letters from ©}. We can finally build v = w’t;z’. We 
have ezp(v) = Usets,] exp(v;,) C L, and a(v) = m(w’)a(2') = wz = u. 


Lemma 6. Ly is a regular language, computable effectively. 


Sketch. From a DFA A = (X, Q, qo, F, ô) for for L, we first build a DFA A, = 
(X, P(Q), qo, P(F), 6), which corresponds to a powerset construction, except 
that accepting states are P(F). This means that the semantic of a state P is the 
conjunction of its members. We then build Ay = (X, P(Q), qo, P(F), 54) based 
on A,, which can additionally read letters of the form {;, by expanding them 
using the powerset structure of Aj. 


Lemma 7. We can construct a regular expression c such that |c] = cly (L) and 
KAnk c< f. 


Proof. Let Ay be the DFA constructed for Ly in the proof of Lemma 6. We will 
use the notations of this proof in the following. 

Let (Ay) = (2,P(Q),90,P(F),7(54)) be the NFA obtained from A, 
by replacing every transition 6;(P,4;) = R, where j € J, by a transition 
m(d4)(P,e) = R. By Lemma5, the automaton mT( Ay) recognizes the language 
cly(L). Let us construct a regular expression c for this automaton such that 
KAnkc< f. 

For every P € P(Q), let fp be a regular expression such that [fp] = [P] 4, . 

Let y : P(Q) — Expy be the function which maps each state P of m( Ay) to 
(P) = fp. Let us show that y is H-compatible. 

If P € P(F), then P is a final state of A,, so 1 € [fp], and by completeness 
of KA, KAF 1 < fp. Let (P,a, R) € m(A;). Either a € X, so (P,a, R) € A, and 
alfr] C [fp], so by Theorem1 KA F afr < fp. Or a =€ so there is j € J such 
that (P, #;, R) € Ay. This means that R = Upeis,)R_ where ĝa (P, b) = Ry, Vb € 
[S;}]. We have then that b[fr,] C [fr] for all b € [S;]. Note that for all b € [S;], 
Ry = R, SO [fr] = [fr] and then Sj [fr] C [fp]. By Theorem 1 KA F Sj fR < fe. 
We have also that KAy F f; < Sj, so KAw F tj fr < fe. 

By Proposition 4, we can construct the desired regular expression c. 
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5 Complexity Results for Letter Hypotheses 


In this section, we give a recursion-theoretic characterization of KAq and KA% 
where H is a set of letter hypotheses or (w < X w)-hypotheses. In all the section, 
by “deciding KA)» we mean deciding whether Kay H e< f, given e, f,H as 
input. 

Theses various complexity classes will be obtained by reduction from some 
known problems concerning Turing Machines (TM) and alternating linearly 
bounded automata (LBA), such as halting problem and universality. 

To obtain these reductions, we build on a result which bridges TMs and LBAs 
on one hand and closures on the other: the set of co-reachable configurations of 
a TM (resp. LBA) can be seen as the closure of a well-chosen set of hypotheses. 

We present this result in Sect. 5.1, and show in Sect. 5.2 how to instantiate 
it to get our complexity classes. 


5.1 Closure and Co-reachable States of TMs and LBAs 


Definition 6. An alternating Turing Machine over X is a tuple M = 
(Q, Qr, T,ı, B, A) consisting of a finite set of states Q and final states Qr C Q, 
a finite set of states Q, a finite working alphabet T D X, an initial state v € Q, 
B e T the blank symbol and a transition function A : (Q\ Qr) x IT > 
P(P({L,R} x T x Q)). Let #L,#r ¢ I be fresh symbols to mark the ends 
of the tape, and Ty =I U {#L, #R}- 

A configuration is a word uqav = #,I*QI*+#r, where #1 and #p are 
special symbols not in I’, meaning that the head of the TM points to the letter 
a. We denote by C the set of configurations of M. A configuration is final if it 
is of the form #,I*Qrlt#_. 

The execution of the TM M over input w E X may be seen as a game-like 
scenario between two players Jloise and Vbelard over a graph CU(CxP({L, R} x 
I’ x Q)), with initial position iw which proceeds as follows. 


~ over a configuration ugav witha E€ I’, u,v € T}, Sloise picks a transition 
X € A(q,a) to move to position (uqav, X) 
- over a position (uqav, X) witha € I, u,v € I*, Vbelard picks a triple 
(d,c,r) E€ X to move in configuration 
e ucrB#He ifv = #pr andd= R 
e ucrv ifv Æ #r andd= R 
e #,rBo if u = #r, andd= L 
e u'rbcv if u = #ru'b andd= L 


Given a subset of configurations D C C, we define Attr?* (D) the Sloise 
attractor for D as the set of configurations from which Jloise may force the 
execution to go through D. 

A deterministic TM M is one where every A(q,a) C {{(d,c,r)}} for some 
(d,c, r) E {L,R} xr xQ In such a case, we may identify M with the underlying 
partial function [M] : X* = Qr. 
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An alternating linearly bounded automaton over the alphabet X is a tuple 
A= (Q,Qr,I,t, A) where (Q,Qr, [U{B},1, B, A) is a TM that does not insert 
B symbols. This means that the head can point to ta, and for every X € Alq, #a) 
and (d',a,r) € X, we haved £ d' and a = #4. 

An LBA is deterministic if its underlying TM is. 


Definition 7. A set of (w < >> w)-hypotheses is said to be length-preserving if 
for every (v < JX icr vi) € H, we have that |v| = |v;| for alli € I. 


The following lemma generalizes a similar construction from [13]. 


Lemma 8. For every TM M of working alphabet I’, there exists a set of (w < 
X` w)-hypotheses Hm over the alphabet O = QUT such that, for any set of 
configurations D C C we have that: cly, (D) = Attr™'*°(D). Furthermore, this 
reduction is polytime computable, and H4 is length-preserving if M is an LBA. 


A configuration c is co-reachable if dloise has a strategy to reach a final 
configuration from c. Lemma 8 shows that the set of co-reachable configurations 
can be seen as the closure by (w < X` w)-hypotheses. Since we are also interested 
in (x < >> «2)-hypotheses, we will show that (w < ` w) hypotheses can be 
transformed into letter hypotheses. Moreover, this transformation preserves the 
length-preserving property. 


Theorem 5. Let X be an alphabet, H be a set of (w < X` w)-hypotheses over 
X. There exists an extended alphabet X' D X, a set of (x < >> w)-hypotheses 
H’ over X' and a regular expression h € Expy, such that the following holds for 
every f € Expy and w E€ x”. 


w € cly([f]) if and only if weca ([f+h]) 
Furthermore, we guarantee the following: 


- (X', H',h) can be computed in polynomial time from (X, H). 
- H’ is length-preserving whenever H is. 


5.2 Complexity Results 


Lemma 9. If H is a set of length-preserving (w < X` w)-hypotheses (resp. a 
set of (x < >> x)-hypotheses), w € X* and f € Expy, deciding KAy F w < f is 
EXPTIME — complete. 


Proof. We actually show that our problem is complete in alternating-PSPACE 
(APSPACE), which enables us to conclude as EXPTIME and APSPACE coin- 
cide. First, notice that by completeness of KAy over this fragment (Proposi- 
tion 2), we have KAy F w < f & w € cly([f]). Hence, we work directly with the 
latter notion. It suffices to show hardness for the (x < X- x) case and membership 
for the (w < >> w) case. 

Given an arbitrary alternating Turing Machine M in APSPACE there exists 
a polynomial p € N[X] such that executions of M over words w are bisimilar to 
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executions of the LBA(M) over wB?('’!), Hence, by Lemma8 and Theorem5, 
the problem with (x < ` x)-hypotheses is APSPACE-hard. Conversely, we may 
show that our problem with (w < >> w)-hypotheses falls into APSPACE. On 
input w, the alternating algorithm first checks whether w € [f] in linear time. 
If it is the case, it returns “yes”. Otherwise, it non-deterministically picks a fac- 
torization w = uxv with x € X* and a hypothesis x < J; yi. It then universally 
picks y; € 5!*!, and replaces x by y; on the tape, so that the new tape content 
is w = uy;v. Then the algorithm loops back to its first step. In parallel, we 
keep track of the number of steps and halt by returning “no” as soon as we 
reach |X jl! steps. This is correct because, if there is a derivation tree witnessing 
w € cla([f]), there is one where on every path, all nodes have distinct labels, so 
the nondeterministic player can play according to this tree, while the universal 
player selects a branch. 


Theorem 6. Deciding KA}, is II?—complete for (x < Y x)-hypotheses. 


Proof. By Lemma 9 and the fact that regular expressions are in recursive bijec- 
tion with natural numbers, our set is clearly J9. To show completeness, we effec- 
tively reduce the set of universal LBAs, which is known to be JJ?)—complete, to 
our set of triples. Indeed, by Lemmas, an LBA A is universal if and only if 
#L{L}X* Ær Ccly(Cr) where Cr is the set of final configurations. 


Theorem 7. If H is a set of (x < X, w)-hypotheses, w € X* and f € Expy, 
deciding KA) H w< f is Y?—complete. 


Proof. As KAy is a recursively enumerable theory, our set is X}. By the com- 
pleteness theorem (Proposition 2), we have KAy F w < f & KAy F w< 
f & w € cly([f]), so we may work directly with closure. In order to show 
completeness, we reduce the halting problem for Turing machines (on empty 
input) to this problem. Let M be a Turing machine with alphabet X and final 
state qr, and Hm be the set of (w < 5) w)-hypotheses given effectively by 
Lemmas. Let f = &*q;*, by Lemmas we have M halts on empty input 
if and only if qo € cla,,(f). Notice that hypotheses of H’ are of the form 
u < V where u € ©? and V C O’. By Theorem5, we can compute a set 
H’ of (x < >> x)-hypotheses, and an expression h on an extended alphabet such 
that go € clau ([f]) & qo € clay ([f + h)). 


Theorem 8. Deciding KA}, is I1]—complete for (x < Y w)-hypotheses. 


Proof. This set is 9 by Theorem 7. It is complete by reduction from the set 
of Turing Machines accepting all inputs, which is known to be JÌ. Indeed, let 
M be a Turing Machine on alphabet X with final state qf, by Lemma 8, we 
can compute a set of (w < > w)-hypotheses Hm with finite language in second 
components such that c € cly,,(c’) if and only if configuration c’ is reachable 
from c. As before, by Theorem5, we can compute a set of letter hypotheses 
H’ with finite languages in second components, and a regular expression h on 
an extended alphabet, such that for any cla ([f + h])N O* = cly ([f]) for any 
f € Expo. Let Cy = X*qrX*, we obtain that M accepts all inputs if and only 
if [qoX*] C cly({Cy + h]), which achieves the proof of [7$-completeness. 
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Theorem 9. Deciding KA}, is I[{}—complete for (x < g)-hypotheses (g € 
Expy). 


Sketch. It is shown in [13] that the problem is complete with hypotheses of the 
form H = H,, U {x < g}, where Hw is a set of length-preserving (w < >> w) 
hypotheses. A slight refinement of Theorem 5 allows us to reduce this problem 
to hypotheses of the form x < g. 


5.3 Undecidability of KAy for Sums of Letters 


Fix an alphabet X, a well-behaved coding function [-] of Turing machines with 
final states {0,1} into X* and a recursive pairing function (-,-) : L* x L* 3 X*. 
A universal total F : &* — {0,1} is a function such that, for every total Turing 
machine M and input w € X* we have F(([M],w)) = [M](w). In particular, 
F should be total and is not uniquely determined over codes of partial Turing 
machines. The next folklore lemma follows from an easy diagonal argument. 


Lemma 10. There is no universal total Turing machine. 


Our strategy is to show that decidability of KAy with (x < > x) hypothe- 
ses would imply the existence of a universal total TM. To do so, we need one 
additional lemma. 


Lemma 11. Suppose that M = (Q,Qpr,I,1,B,A) is a total Turing machine 
with final states {0,1} and initial state ı. Let w € X* be an input word for M. 

Then there is effectively a set of length-preserving (w < X` w)-hypotheses H 
and expressions @w,h such that |[M](w) = 1 if and only if KAH F ew < R. 


Theorem 10. KAy is undecidable for (x < X` x)-hypotheses. 


Proof. Assume that KAy is decidable. This means that we have an algorithm A 
taking tuples (X, w, f, H), with H consisting only of sum-of-letters hypotheses 
and returning true when KAgq F w < f and false otherwise. Without loss of 
generality, we can assume that A is total. By Theorem5, we may even provide 
an algorithm A’ taking as input tuples (w, f,H) where H is a set of length- 
preserving (w < }>w)-hypotheses with a similar behaviour: A’ returns true 
when KAy F w < f and false otherwise. 

Given A’, consider M defined so that [M]([N],w) = [A’](ew, h, H), where 
the last tuple is given by Lemma 11. We show that M is a total universal Turing 
machine. Since such a machine cannot exist by Lemma 10, this is enough to con- 
clude. Since A’ is total, so is M. For total Turing Machines M, Lemma 11 guar- 
antees that [NV](w) = 1 if and only if [A’](ew, h, H) = [M]([N’], w) = 1. Since 
both [.A’] and [M] are total with codomain {0,1}, we really have [M]([V/], w) = 
IN](w). 
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Abstract. In this paper, we give a new definition of partial Higher 
Dimension Automata using lax functors. This definition is simpler and 
more natural from a categorical point of view, but also matches more 
clearly the intuition that pHDA are Higher Dimensional Automata with 
some missing faces. We then focus on trees. Originally, for example in 
transition systems, trees are defined as those systems that have a unique 
path property. To understand what kind of unique property is needed in 
pHDA, we start by looking at trees as colimits of paths. This definition 
tells us that trees are exactly the pHDA with the unique path property 
modulo a notion of homotopy, and without any shortcuts. This property 
allows us to prove two interesting characterisations of trees: trees are 
exactly those pHDA that are an unfolding of another pHDA; and trees 
are exactly the cofibrant objects, much as in the language of Quillen’s 
model structure. In particular, this last characterisation gives the pre- 
misses of a new understanding of concurrency theory using homotopy 
theory. 


Keywords: Higher Dimensional Automata - Trees - 
Homotopy theories 


1 Introduction 


Higher Dimensional Automata (HDA, for short), introduced by Pratt in [23], 
are a geometric model of true concurrency. Geometric, because they are defined 
very similarly to simplicial sets, and can be interpreted as glueings of geometric 
objects, here hypercubes of any dimension. Similarly to other models of concur- 
rency much as event structures [21], asynchronous systems [1,25], or transition 
systems with independence [22], they model true concurrency, in the sense that 
they distinguish interleaving behaviours from simultaneous behaviours. In [12], 
van Glabbeek proved that they form the most powerful models of a hierarchy of 
concurrent models. In [6], Fahrenberg described a notion of bisimilarity of HDA 
using the general framework of open maps from [17]. If this work is very natural, 
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it is confronted with a design problem: paths (or executions) cannot be nicely 
encoded as HDA. Indeed, in a HDA, it is impossible to model the fact that two 
actions must be executed at the same time, or that two actions are executed 
at the same time but one must start before the other. From a geometric point 
of view, those impossibilities are expressed by the fact that we deal with closed 
cubes, that is, cubes that must contain all of their faces. Motivated by those 
examples, Fahrenberg, in [7], extended HDA to partial HDA, intuitively, HDA 
with cubes with some missing faces. If the intuition is clear, the formalisation is 
still complicated to achieve: the definition from [7] misses the point that faces 
can be not uniquely defined. This comes from the fact that Fahrenberg wanted 
to stick to the ‘local’ definition of precubical sets, that is, that cubes must satisfy 
some local conditions about faces. As we will show, those local equations are not 
enough in the partial case. Another missed point is the notion of morphisms of 
partial HDA: as defined in [7], the natural property that morphisms map execu- 
tions to executions is not satisfied. In Sect. 2, we address those issues by giving 
a new definition of partial HDA in terms of lax functors. This definition, similar 
to the presheaf theoretic definition of HDA, avoid the issues discussed above by 
considering global inclusions, instead of local equations. This illustrates more 
clearly the intuition of partial HDA being HDA with missing faces: we coher- 
ently replace sets and total functions by sets and partial functions. From this 
similarity with the original definition of HDA, we can prove that it is possible to 
complete a partial HDA to turn it into a HDA, by adding the missing faces, and 
from this completion, it is possible to define a geometric realisation of pHDA 
(which was impossible with Fahrenberg’s definition). 

The geometry of Higher Dimensional Automata, and more generally, of 
true concurrency, has been studied since Goubault’s PhD thesis [13]. Since 
then, numerous pieces of work relating algebraic topology and true concurrency 
have been achieved (for example, see the textbooks [9,14]). In particular, some 
attempts of defining nice homotopy theories for true concurrency (or directed 
topology), through the language of model structures of Quillen [24], have been 
made by Gaucher [10], and the author [3]. In the second part of this paper 
(Sects. 3, 4 and 5), we consider another point of view of this relationship between 
HDA and model structures. The goal is not to understand the true concurrency 
of HDA, that is, understanding the homotopy theory of HDA as an abstract 
homotopy theory, but to understand the concurrency theory of HDA. By this 
we mean to understand how paths (or executions) and extensions of paths can 
be understood using (co)fibrations (in Quillen’s sense). Also, the goal is not to 
construct a model structure, as Quillen’s axioms would fail, but to give intuitions 
and some preliminary formal statements toward the understanding of concur- 
rency using homotopy theory. Using this point of view, many constructions in 
concurrency can be understood using the language of model structures: 


— Open maps from [17] can be understood as trivial fibrations, namely weak 
equivalences (here, bisimulations) that have the right lifting properties with 
respect to some morphisms. 
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— Those morphisms are precisely extensions of executions, which means that 
they can be seen as cofibration generators (in the language of cofibrantly 
generated model structures [15]). 

— Cofibrations are then morphisms that have the left lifting property with 
respect to open maps. In particular, this allows us to define cofibrant objects 
as those objects whose unique morphisms from the initial object is a cofibra- 
tion. In a way, cofibrant objects are those objects that are constructed by just 
using extensions of paths, and should correspond to trees. 

— The cofibrant replacement is then given by canonically constructing a cofi- 
brant object, which is weakly equivalent (here, bisimilar) to a given object. 
That should correspond to the unfolding. 

The main ingredient is to understand what trees are in this context. In the case 

of transition systems for semantics of CCS [19], synchronisation trees are those 

systems with exactly one path from the initial state to any state. Those trees are 
then much simpler to reason on, but they are still powerful enough to capture any 
bisimulation type: by unfolding, it is possible to canonically construct a tree from 

a system. The goal of Sects. 3 and 4 will be to understand how to generalise this 

to pHDA. In this context, it is not clear what kind of unique path property should 

be considered as, in general, in truly concurrent systems, we have to deal with 
homotopies, namely, equivalences of paths modulo permutation of independent 
actions. Following [4], we will first consider trees as colimits of paths. This will 
guide us to determine what kind of unique path property is needed: a tree is 

a pHDA with exactly one class of paths modulo a notion of homotopy, from 

the initial state to any state, and without any shortcuts. This will be proved 

by defining a suitable notion of unfolding of pHDA. Finally, in Sect.5, we prove 
that those trees coincide exactly with the cofibrant objects, illustrating the first 
steps of this new understanding of concurrency, using homotopy theory. 


2 Fixing the Definition of pHDA 


In this Section, we review the definitions of HDA (Sect. 2.1), the first one using 
face maps, and the second one using presheaves. In Sect. 2.2, we describe the 
definition of partial HDA from [7] and explain why it does not give us what we 
are expecting. We tackle those issues by introducing a new definition in Sect. 2.3, 
extending the presheaf theoretic definition, using lax functors instead of strict 
functors. Finally, in Sect.2.4, we prove that HDA form a reflective subcategory 
of partial HDA, by constructing a completion of a partial HDA. 


2.1 Higher Dimensional Automata 


Higher Dimensional Automata are an extension of transition systems: they are 
labeled graphs, except that, in addition to vertices and edges, the graph structure 
also has higher dimensional data, expressing the fact that several actions can be 
made at the same time. Those additional data are intuitively cubes filling up 
interleaving: if a and b can be made at the same time, instead of having an 
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empty square as on the left figure, with a.b and b.a as only behaviours, we have 
a full square as on the right figure, with any possible behaviours in-between. This 
requires to extend the notion of graph to add those higher dimensional cubical 
data: that is the notion of precubical sets. 


a 


e e 
b b a and b 
at the same time 
e e 


T a 


Concrete Definition of Precubical Sets. A precubical set X is a col- 


lection of sets (Xn)nen together with a collection of functions (Fn : Xn — 


Xn-1)n>0,1<i<n,ac{0,1} satisfying the local equations ôf, © OF ta =Z On o 
OM inti for every a, 8 € {0,1}, n > 0 and1 <j <i<n. A morphism of 
precubical sets from X to Y is a collection of functions (fn : Xn —> Yn)nen 
satisfying the equations fn o 0%, = 0%, O Jn+1 for every n € N, 1 < i < n and 
a € {0,1}. The elements of Xo are called points, Xı segments, X2 squares, 
Xn n-cubes. In the following, we will call past (resp. future) i-face maps the 


O°, (resp. On): We denote this category of precubical sets by pCub. 


un 


Precubical Sets as Presheaves. Equivalently, pCub is the category of 
preshea-ves over the cubical category is the subcategory of Set whose 
objects are the sets {0,1}" for n € N and whose morphisms are generated by 
the so-called coface maps: 


dèn : {0, ale = {0, 1} (Bigs e baat) = (br, ats , Bi-1, &, Bi, EE , Bn-1) 


A precubical set is a functor X : O°P —> Set, that is, a presheaf over O, and a 
morphism of precubical sets is a natural transformation. 


Higher Dimensional Automata [|11]. From now on, fix a set L, called the 
alphabet. We can form a precubical set also noted L such that DL, = L” and 
the i-face maps are given by ôf (a1... an) = @1...@j—1.Qi41-..Gy. We can also 
form the following precubical set * such that *9 = {*} and *, = Ø for n > 0. 
A HDA X on LF is a bialgebra x — X — L in pCub. In other words, a HDA 
X is a precubical set, also noted X, together with a specified point, the initial 
state, i € Xo and a labelling function \ : X; —> L satisfying the equations 
Ao 0, = = oO}, for i € {1,2} (see previous figure, right). A morphism of 
HDA from X to Y is a morphism f of precubical sets from X to Y such that 
folix) = ty and Ax = Ay o fı. HDA on L and morphisms of HDA form a 
category that we denote by HDA,. This category can also be defined as a 
the double slice category *«/pCub/L. Remark that we are only concerned with 
labelling-preserving morphisms, not general morphisms as described in [5]. 
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2.2 Original Definition of Partial Higher Dimensional Automata 


Originally [7], partial HDA are defined similarly to the concrete definition of 
HDA, except that the face maps can be partial functions and the local equations 
hold only when both sides are well defined. There are two reasons why it fails to 
give the good intuition: 

— first the ‘local’ equations are not enough 
in the partial case. Imagine that we want to 
model a full cube c without its lower face, 
that is, 09 5 is not defined on c, and such that 
ð! , is undefined on ôt 3(c) and ô} 3(c), that 
is, we remove an edge. We cannot prove using 
the local equations that 0} o 090 A}(c) = ðt o 
39 o Os(c), that is, that the vertices of the 
cube are uniquely defined. Indeed, to prove ro 
this equality using the local equations, you 
can only permute two consecutive 0. From 
Ot o OY o At(c), you can: 


not defined 


0 
b č 
eto 


e either permute the first two and you obtain Of o ðt o 03 (c), 
e or permute the last two and you obtain 0? o 0} o O}(c). 


and both faces are not defined. On the other hand, those two should be equal 
because the comaps dt o d8 o d} and d} o d§ o d} are equal in O, and 0} o ô} o a} 
and 0} o ð} o ð} are both defined on c. 


— secondly, the notion of morphism is not good (or at segment 
least, ambiguous). The equations fn o Of, x = Of, y © e a ; 
fn+1 hold in [7] only when both face maps are defined, 5 
which authorises many morphisms. For example, consider ~ * 2 
the segment J, and the ‘split’ segment I’ which is defined ® ~ a” ° 
as I, except that no face maps are defined (geometrically, split segment 


this corresponds to two points and an open segment). The 

identity map from J to J’ is a morphism of partial precubical sets in the sense of 
[7], which is unexpected. A bad consequence of that is that the notion of paths in 
a partial HDA does not correspond to morphisms from some particular partial 
HDA, and paths are not preserved by morphisms, as we will see later. 


2.3 Partial Higher Dimensional Automata as Lax Functors 


The idea is to generalise the ‘presheaf’ definition of precubical sets. The problem 
is to deal with partial functions and when two of them should coincide. Let pSet 
be the category of sets and partial functions. A partial function f : X — Y 
can be either seen as a pair (A, f) of a subset A C X and a total function 
f:A—Y, or as a functional relation f C X x Y, that is, a relation such that 
for every x € X, there is at most one y € Y with (x,y) € f. We will freely use 
both views in the following. For two partial maps f,g : X —> Y, we denote by 
f = g if and only if for every x € X such that f(x) and g(x) are defined, then 
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f(x) = g(x). Note that this is not equality, but equality on the intersection of the 
domains. We also write f C g if and only if f is include in g as a relation, that is, 
if and only if, for every x € X such that f(x) is defined, then g(x) is defined and 
f(x) = g(x). By a lax functor F : C — pSet, we mean the following data [20]: 


— for every object c of C, a set Fc, 
— for every morphism 7: c —> c’, a partial function Fi: Fe — Fc! 


satisfying that Fide = idre and Fjo Fi C F(j oi). 

The point is that partial precubical sets as defined in [7] do not satisfy the 
second condition, while they should. In addition, this definition will authorise 
a square to have vertices, that is, that some 00 are defined, while having no 
edge, that is, no O defined. This may be useful to define paths as discrete traces 
in [8] (that we will call shortcuts later), that is, paths that can go directly 
from a point to a square for example. Observe also that if j oi = j’ 07’ then 
Fjo Fi = Fj’ o Fi’, which gives us the local equations from [7]. A partial 
precubical set X is then a lax functor F : O°? — pSet. It becomes harder to 
describe explicitly what a partial precubical set is, since we cannot restrict to 
the 0% anymore. It is a collection of sets (Xn)nen together with a collection of 


partial functions (0p 202i, : Xn+k — Xn) satisfying the inclusions alre 


a A 4 a K ieS 
hko 7 Loves Yn-+m , 
One eh, © One ekim Where the ks and ys are defined as follows. (kı <... < 


Ratan ieee aaa) = (ii La < ini ises Ön) ka La < Inmo bisesti Pea) 
where x is defined by induction on n + m: 


~~ if =O, ex (ji << jm; Bir bm) = (Ji < i< Ími bi bm) 


— ifm=0, (i1 <... < inj Q1, ...;Qn) xE = (i1 <... < İn; i,.--,Qn), 

—- if i < Ji; (44 Se ein S inj Q1,---)Qn) * (ji L iba dons Bts Om) = 
(413 a1).((t2 <... < in; Q2,---,Qn)* (Jr HI <... < jm +15 61,.--,Bm)), 

- if iy > ji, (i1 <... < tnjan,...,Qn)* (ji < ... < Ími B1,---;8m) = 


(j1; Pr). Kore K in; Q1,- .-, an) * (Jo Sis < jm} b2,- - -, Bm) ). 


A function-valued op-lax transformation [20] from F : C — pSet to 
G : C — pSet is a collection (f-)-eov(c) of total functions such that for every 
i: c— d, feo F(t) C G(t) o fe A morphism of partial precubical sets 
from X to Y is then a function-valued op-lax transformation. In other words, 
this is a collection of total functions (fn : Xn — Yn)nen satisfying the equations 
fnoOVe veh COME VEE o fn+x- Partial precubical sets and morphisms of partial 
precubical sets form a category that we denote by ppCub. pCub is a full 
subcategory of ppCub. In particular, the precubical sets x and L are partial 
precubical sets. A partial HDA X on L is a partial precubical set, also noted 
X, together with a specified point, the initial state i € Xo and a morphism 
of ppCub, the labelling functions, (Àn : Xn — L")nen. A morphism of 
pHDA from X to Y is a morphism f of partial precubical sets from X to Y 
such that fo(ix) = iy and Ax = Ay o f. Partial HDA on L and morphisms of 
partial HDA form a category that we note pHDA,. In other words, this is the 
double slice category */ppCub/L. 
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2.4 Completion of a pHDA 


Let us describe how it is possible to construct a HDA from a pHDA X, by 
‘completing’ X, that is, by adding the faces that are missing, and by connecting 
the faces that are not. Let 


Yn = {((t1 < ... < ik; Q1,..-;Qk) L) | £ E Xnep Aig <n+k} 


Y = (Yn)nen is intuitively the collection of all abstract faces of all cubes of X, 
that is, pairs of a cube and all possible ways to define a face from it. Of course, 
some of those are the same, since there are several ways to describe a cube as 
the face of some other cube. Define ~ as the smallest equivalence relation such 
that: 

— if OMe Sk (x) is defined, then 


41 <<... <ap 
((i1 <... <tpjpan,..-, QR), £) ~ (€, ci ae (x)). 


This means that, if a face of a cube exists in X, this face is identified with 
both abstract faces (e, 8p 22; (x)) (ie., the cube 8ft Sy (x) itself) and 
((i1 <... < ik; Q1,- -,@k), £) (ie., the face of x, which consists of taking the 
(ix, 2%) face, then the (i,-1, @—1) face, and so on). 

— if (ii E E , Ap), £) ~ (ji Lluru K ju B1,-+-, BDY), then (ii < 

wee < ik; Q1,- AK) * (ia), £) ~ (G1 <... < ju Bi,- -, 61) * (i, @), y). This 
means that if two abstract faces coincide, then taking both their (i, a) face 
gives two abstract faces that also coincide. 
Let y(X)n = Yn/ ~ and we denote by < (i1 < ... < igjai,...,Qk),2 > 
the equivalence class of ((i1 < ... < ik; Q1,- -,@k), £) modulo ~. We define 
the i-face map as F (<«& (i, <... < ik; Q1- akh >) = Kli <i. < 
ik; @1;,...,Qk) * (i,@),x >>, the initial state as < €,i >> and the labelling 
function as A(K (i1 <... < ip; Q1,..-, OK), 2 >>) = 67 0... 0 8p" (A(x). 


Theorem 1. x is a well-defined functor and is the left adjoint of T, the injec- 
tion of HDA, into pHDA,,. Furthermore, HDA; is a reflective subcategory of 
pHDA,,. 


Now, we can define the geometric realisation of a pHDA X as the subspace 
of the realisation of y(X) consisting of points whose carrier is of the form < 
€,x >> for some x € X. This really corresponds to the drawings we have been 
using to depict pHDA until now. 


3 Paths in Partial Higher Dimensional Automata 


Executions of HDA are defined using the notion of paths. Those paths describe 
the succession of starting and finishing of actions in a HDA. For example, a 
HDA can start an action then start another at the same time, and finish the two 
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actions. This sequence is then not just a sequence of 1-dimensional transitions, 
since some actions can be made at the same time, but a sequence of hypercubes 
corresponding to the evolution of the state of the system. We will formalise this 
idea in Sect. 3.2, and we will see in particular that those paths can be encoded 
in the category pHDAy,, (while it is not possible in the category HDA) as 
morphisms from particular pHDA, called path shapes. In Sect. 3.1, let us first 
start by recalling the general framework of [17]. 


3.1 Path Category, Open Maps, Coverings 


In the general framework of [17], we start with a category M of systems, together 
with a subcategory P of execution shapes. For example, keep in mind the case 
where M is the category of transition systems and P is the full subcategory of 
finite linear systems. One interesting remark about this case is that executions 
of a given systems are in bijective correspondance with morphisms from a finite 
linear system to this given system. This means that to reason about behaviours 
of such systems, it is enough to reason about morphisms and execution shapes. 


This idea was formalised by describing precisely which i z 
; : i e xX! > X 
morphisms are witnesses for the existence of a bisimula- a 
tion between systems. This description uses right lifting ca 
properties: we say that a morphism f : X — Y has the , 6. f 


right lifting property with respect to g : X’ — Y' 

if for every x : X’ — X and y : Y’ — Y such that : 

fox= yog, there exists 6: Y’ — X such that rx =@0g y! ——__. Y 
and f o0 = y. For example, let us assume that f is a 
morphism of transition systems and that X’ and Y’ are finite linear systems. 
Then x (resp. y) is the same as an execution in X (resp. Y), and fox =yog 
means that the execution y is a extension of the image of the execution x by f. 
The right lifting property means that the longer execution y of Y can be lifted 
to a longer execution 0 of X, that is, 0 is an extension of x and the image of 
0 by f is y. This property of lifting longer executions is precisely the property 
needed on a morphism to make its graph relation a bisimulation. They are also 
very similar to morphisms of coalgebras [16]. We call P-open (or simply open 
when P is clear), a morphism that has the right lifting property with respect 
to every morphism in P. From open maps, it is possible to describe similarity 
and bismilarity as the existence of a span of morphisms/open maps, and many 
kinds of bisimilarities can be captured in this way [17]. An open map is said to 
be a P-covering (or simply covering) if furthermore the lifts in the right lifting 
properties are unique. Being a covering is a very strong requirement, as they 
correspond to partial unfolding of a system. 
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3.2 Encoding Paths in pHDA 


In this section, we describe the classical notion of execution of HDA from [12], 
extended to partial HDA in [7], defined using the notion of path. We then show 
that those executions can be encoded as an execution fee ts 
shapes subcategory, as in the general framework of [17], Se sot defined aa 
proving in particular that paths are in bijective corre- 

spondance with a class of morphisms. A path 7 of a 

HDA X is a sequence i = % 2S g, 2 Imin 7 i 
Ln Where £k E€ X, jk > 0 and ax € {0,1} are each that 


for every k: 4 
0 B 1 
: _ — 90 In red: path 
— if a, = 0, then rp_-1 = Oj, (zx), o 22 B 2,0 1,2 
: _ — al w= 
— if ap = 1, then z = 0j, (£k-1). in the pHDA X 


This definition can easily be extended to pHDA, by requiring that the j;,-face 
maps are defined on zk or £k—1. A natural property of executions and morphisms 
is that morphisms map executions to executions. This is the case here (while it 
is not for [7], e.g., the split segment): 


Proposition 1. If f : X — Y is a map of pHDA and ift = xo Ea ry Iae 
| itr, g, is a path in X, then a’ = f (xo) 2 f(a) 2 ... 2 flan) 


is a path in Y. 


One advantage of considering pHDA instead of HDA is that paths can be 
encoded in pHDA, which is not really possible in HDA. It is done as follows. A 
; ; J1,01 j2,02 In ,On 
spine ø is a sequence (0,6) = (do, wo) ——> (d1, w1) => ... = (dn, wn) 
where jp > 0, dp E€ N, wp E€ L% and az € {0,1} are such that: 


— if a, = 0, then dy_1 = dk — 1, jp (we) = Wr_-1 and jk < dk, 
— if Qk = 1, then dk = dk—1ı = 1, Ôj, (Wk—1) = Wk and Jk < dp_1. 


A path 7 has a underlying spine o, by mapping 
x, to the pair of its dimension and its label. A spine xX 


“ey, 


not defined ooy 
44444411111113 


ego x 


g induces a pHDA Bo as follows: -4 
a4 
ý 
~ Bop = {k € {0,...,n} | de = p}, 32 ab b 
—- the partial face maps pt7? are the smallest 8% 
(as relations ordered by inclusion) partial func- J 
tions such that: c= a oe so 
e if a, =0, then 0? (k) =k—1, Cà 
e if a= 1, then oL, (k 1) = k, path shape of the spine 
bi; -Bm Q1; Vireo Yn+m m= (Ox) = (ya) a Beat) 
© One im o aan in SORE <Entm? for => (1,b) 


(kı, trey kn4+m3 Ti; tee agm) = (i, oe alae 
City. ein) A (Jiye sjm Piyes Bm) 
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— the initial state is 0, 
— the labelling functions An map k to wx. 


By a path shape, we mean such a pHDA Bo. The set Spine, of spines can 
be partially ordered by prefix. B can then be extended to an embedding from 
Spine, to pHDA,. We note PSr the image of this embedding, i.e., the full 
sub-category of path shapes. 


Proposition 2. There is a bijection between paths in a pHDA X and morphisms 
of pHDA from a path shape to X. 


Again, this is not true with the definition of morphisms from [7] (e.g., the 
split segment). As an example, the red path m above corresponds to a morphism 
from the path shape Bo to X. 


4 Trees and Unfolding in pHDA 


In this section, we introduce our notion of trees. Following [4], we consider trees 
as colimits (or glueings of paths). Section 4.1 is dedicated to proving that those 
colimits actually exist, by giving an explicit construction of those. From this 
explicit construction, we will describe the kind of unique path properties that are 
satisfied by those trees in Sect. 4.2. Starting by showing, that the strict unicity of 
path fails, we then describe a notion of homotopy, the confluent homotopy, which 
is weaker than the one from [12], for which every tree has the property that there 
is exactly one homotopy class of paths form the initial state to any state. We will 
also see that, because the face maps of trees are defined in a local way, they do 
not have any shortcuts, that is, paths that ‘skip’ dimensions, for example, going 
from a point to a square without going through a segment. Finally, in Sect. 4.3, 
we will prove that those two properties — the unicity of paths modulo confluent 
homotopy, and the non-existence of shortcuts — completely characterise trees. 
This proof will use a suitable notion of unfolding of pHDA, showing furthermore 
that trees form a coreflective subcategory of pHDA. 


4.1 Trees, as Colimits of Paths in pHDA 


In this section, we give an explicit construction of colimits of diagrams with val- 
ues in path shapes. Those will be our first definition of trees in pHDA, following 
[4]. Let D : C — PSr bea small diagram with values in PS, that is, a functor 
from C to PSy. Let us use some notations: for every object u of C, Du = Boy 


with ou = (dj, wi) I, (a) Pon 2a (dj, wi’). The definition 
of the colimit col D will be in two steps. T ie first step consists in putting all the 
paths Du side-by-side, and in glueing them together, along the morphisms Df, 
for every morphism f of C. This is done as follows. Define (X,,) nen to be: 


- Xo ={(u,k) |u E C, k < lu A dk = 0} U {e}, 
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We quotient Xn by the smallest equivalence relation ~ (for inclusion) such that: 


— for every u, (u,0) ~ € 
- ifi: u — v E€ C, and if k < lu, lv, then (u, k) ~ (v, k). 


We denote by Y, the quotient X„/ ~, and by [u, k] the equivalence class of (u, k) 
modulo ~. 

At this stage, we still do not have the colimit because it is not possible to 
define the face maps. Let us consider the following example. 


41111111111% ee Pa 7 
1,0 7 A e) => (1,b) => (2, ab) 
— A ? x Tr’ ie 
(0,6) 2% (1,6) =% (2, ab) ,— Z 21, (a) 22 (076) 
A Y 
A 4 Z C 
F 
111111111 OMNI 
ee 1 
(0, €) => (1,6) => (2, ab) 
=n ( iar Bg — 
B D 
CWNIT1177 7X 


A, B and C are path shapes, and we would like to compute their pushout. 
The expected outcome is D, since we must identify the three squares by the 
previous construction. The problem is that the previous construction does not 
identify @, and 82. Those two must be identified because they are both the top 
right corner of the same square (after identification). We hence need to quotient 
a little more to be able to define the face maps, as follows. Define Z, to be the 
quotient of Y,, by the smallest equivalence relation ~ such that if there are two 
sequences Uo, ..., u; and vo,..., v, such that: 


= [uo, k] y [vo, k], 

— for every 0 < s < l, Of), = Qh Hh 

— for every 0 < s < l, [us,k +s +1] ~ [us+1,k +s+ 1] and [vs,k +s+1] & 
[Vs+15 k Fst 1], 

— (Fkt D xk Geran D = kga D * -ex epigr t) 
then, [w, k+l +1] ~ [v, k +l+1]. col D is the pHDA Zy with the face maps 
being the smallest relations for inclusion such that: 

— if af = 0, then 0}. ((u, k)) is defined and is equal to (u, k — 1), 

— if Ohi = 1 then Oju ((u, k)) is defined and is equal to (u, k + 1), 

=O re CO dot (i E T e 
(ilsec in Qiyos On) ® Gt as. Imi Birs Bm): 


The initial state is (e) and the labelling \ : col D — L maps (u, k) to w}. 
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Proposition 3. colD is the colimit of D in pHDA, 


By tree we mean any pHDA that is the colimit of a diagram with values in 
path shapes. We denote by Try the full subcategory of trees. 


4.2 The Unique Path Properties of Trees 


Failure of the Unicity of Paths. Let us consider the pushout square above 
again. In particular, the pHDA on the bottom-right corner is a tree, by definition. 
However, there are two paths from a to @ (in red and blue). This actually comes 
from the fact that we needed to identify G, and (2 to be able to define the face 
maps. This means that trees do not have the unique path property. 


Confluent Homotopy. A careful reader may have observed that the only dif- 
ference between the two previous paths is that some future faces are swapped. 
Actually, this is the only obstacle for the unicity of paths for trees: there is a 


unique path modulo equivalence of paths that permutes arrows of the form 24, 
That is what we call confluent homotopy. This confluent homotopy will be 
defined by restricting the elementary homotopies of [12] to be of only one type 
out of the four possible, which means our notion of homotopy makes fewer paths 
equivalent than the one from [12]. 


J1,01 J2,%2 Jn;Qn 
Uy F 


We say that a path 7 = £o 
Tn iS elementary confluently homotopic ia a path 


FM jaza Ína 
F am / 1k 1 272 nin x! 
T = To Ly x,, and denote by 


T eh T, if and only if ther are 0 < s < t < n such 
that: 


- for all k < s or k > t, £k = Th, 

- forall k < s or k > t, jk = jp and ak = ah, 
- forall s < k < t, ak = a = 1, 

— (js, Qs) x... x (Je, at) = (95,5) * -x (Ji, a4). 


We denote by ~en, and call confluent homotopy, the reflexive transitive clo- 
sure of weh. 


Lemma 1. If X is a tree, then for every element (of any dimension) x of X, 
there is exactly one path modulo confluent homotopy from the initial state to x. 


Shortcuts. The face maps of path shapes and of the colimits we computed 
in Sect.4.1 are of a very particular form: we start by defining the oF and we 
extend this definition to general ie ae "<j, ma way, they are locally denned) and 
then extended to higher face maps. This means in particular that, in addition 
to having unique paths modulo confluent homotopy, they also do not have any 
‘shortcut’. A possible shortcut can be defined as a generalisation of paths, in 
which we allow to make transitions that go, for example, from a point to a square 
or to a cube, not only to segments, a shortcut being such a possible shortcut 
which is not confluently homotopic to a path. Those shortcuts may occur in a 
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pHDA, even if it has the unique path property. Concretely, by shortcut we mean 
the following situation: the face 07"? (x) is defined, but there is no sequence 
(j1; B1) *---* (jn; Bn) = (i1 <... < tn} 1,---, Qn) such that avn CERES. OF (x) 


is defined. By local-definedness of the face maps: 
Lemma 2. Trees do not have any shortcuts. 


Trees. We say that a pHDA has the unique path property modulo con- 
fluent homotopy if it has no shortcut, and there is exactly one class of paths 
modulo confluent homotopy from the initial state to any state. Given such a 
pHDA X and an element x of X, by depth of x we mean the length of a path 
from the initial state to x in X. Since homotopic paths have the same length, 
this is uniquely defined. We deduce from the previous discussions that: 


Proposition 4. Trees have unique path property modulo confluent homotopy. 


In the following, we will prove the converse: trees, defined as colimits of path 
shapes are exactly those pHDA that have the unique path property modulo con- 
fluent homotopy. This will be done by proving that such a pHDA_ X is isomorphic 
to its unfolding. A question that occurs now is the following. Much as the general 
framework of [4], trees are colimits of paths. Everything tends to work well when 
those trees have a nice property, which we called accessibility, intuitively, that 
the colimit process do not ‘create’ paths. This property is actually deeply related 
to the unicity of paths. Since this unicity fails in the case of pHDA, accessibility 
fails too. However, an accessibility modulo confluent homotopy holds: the colimit 
process in pHDA do not create confluent homotopy classes of paths. 


4.3 Trees Are Unfoldings 


We are now constructing our unfolding U(X) of a pHDA X by giving an explicit 
definition, similar to [6,11], and proving that this is a tree. We will prove that 
there is a covering unfy : U(X) —> X, which in particular means that the 
unfolding U(X) is PS,-bisimilar (in the general sense of [17]) to X, and that 
this covering is actually an isomorphism when X has the unique path property 
modulo confluent homotopy. 


Unfolding of a pHDA. Let us start with a few notations. Given a path 7 = 


CECIU J2,02 In, 


£o ry “> £n we note e(t) = £n, Um) = n and T-k = 
j1,0 ju jn—k;On—k $ ; 7 S 
JLOL, qy 222, In—k- Given a pHDA X, its unfolding is the 


following pHDA: 


— U(X), is the set of equivalence classes [7] of paths modulo confluent homo- 
topy, such that e(r) is of dimension n, 
— the face maps are the smallest relations for inclusion such that: 
e O}(a) = |r BE, 0} (e(7))]|, for any r € a such that ð} (e(r)) is defined, 


e (a) = [r1] for any T € a such that 7 = 7_1 La e(r), 
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31,---58m Oly +++; An Yir Yn+m . = 
s OA o Oe ek, E O a for (kisss knim Joss nim) = 


(i1, ..., in; Q1,- -<3 On) * (Jis. -3 Ími b1; - -3 Bm). 
— the initial state is [i], 
— the labelling is given by A(a@) = A(e(r)) for 7 € a. 
Following ideas from [4] again, the unfolding can be seen as the glueing of all pos- 
sible executions of a system, but with care needed to handle confluent homotopy. 
Concretely: 


Proposition 5. The unfolding of a pHDA is a tree. 
We can also define unfx : U(X) — X as the function that maps [7] to e(r). 
Proposition 6. unfx is a covering, and so, U(X) is PS,-bisimilar to X. 


The Unique Path Property Characterises Trees. When X has exactly one 
class of paths modulo confluent homotopy from the initial state to any state, it 
is possible to define a function nx : X —> U(X) that maps any element x of 
X to the unique confluent homotopy class to x. When furthermore X does not 
have shortcuts, then 7 is actually a morphism of pHDA. 


Proposition 7. When X has the unique path property modulo confluent homo- 
topy, then nx is the inverse of unfy. In particular, X is a tree. 


Together with Proposition 4, this implies the following: 


Theorem 2. Trees are exactly the pHDA that have the unique path property 
modulo confluent homotopy. 


Another consequence is that this isomorphism 7x is actually natural (in the 
categorical sense) and is part of an adjunction, which implies that trees form a 
coreflective subcategory of pHDA: 


Corollary 1. U extends to a functor, which is the right adjoint of the embedding 
L: Tr, — pHDA,,. Furthermore, this is a coreflection. 


5 Cofibrant Objects 


Cofibrant objects are another type of ‘simple objects’, coming from homotopy 
theory, more particularly the language of model categories from [24]. Those cofi- 
brant objects are those whose unique morphism from the initial object is a cofi- 
bration. Intuitively (intuition which holds at least in cofibrantly generated model 
structures [15]), this means that cofibrant objects are those objects constructed 
from ‘nothing’, using only very basic constructions (generators of cofibrations). 
In the case of the classical model structure on topological spaces (Kan-Quillen), 
those spaces are those constructed from the empty space by adding ‘cells’, which 
produces what is called CW-complexes. In this section, we want to mimic this 
idea with trees: trees are those pHDA constructed from an initial state by only 
extending paths. We also want to emphasize that much as CW-complexes gives 
a kind of homotopy type of a space, trees gives a concurrency type of a pHDA, in 
the sense that there is a canonical way to produce an equivalent cofibrant object 
out of any object, which is called the cofibrant replacement in homotopy 
theory. In concurrency theory, this is the unfolding. 
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5.1 Cofibrant Objects in pHDA,, 


Following the language of model structures from [24], we say 
that a pHDA X is cofibrant if for every PS,-open morphism 

f: Y — Z and every morphism g : X —> Z, there is a | 2 
morphism A : X — Y, such that f o h = g. That is, a partial 
HDA X is cofibrant if and only if every PSy-open morphism 
has the right lifting property with respect to the unique morphism from > to X. 


val 


X—— 2 


5.2 Cofibrant Objects Are Exactly Trees 
In this section, we would like to prove the following: 
Theorem 3. The cofibrant objects are exactly trees. 


Let us start by giving the idea of the proof of the fact ! 


that cofibrant objects are trees. By Proposition 6, unfx is i di 
a covering, so is open. This means that for every cofibrant | ho fer 
object X, there is a morphism h : X — U(X) such that 

unfy oh = idx, that is, X is a retract of its unfolding. Since x ade x 


we know that the unfolding is a tree by Proposition 5, it is enough to observe 
the following: 


Lemma 3. A retract of a tree is a tree. 


Intuitively, a pHDA is the retract of a tree only when it is obtain by retracting 
branches. This can only produce a tree. For the converse: 


Proposition 8. A tree is a cofibrant object. Furthermore, if f : Y — Z is a 
covering, then the lift h: X — Y is unique. 


The lift h is constructed by induction as follows. We define X, as the 
restriction of X to elements whose depth is smaller than n, and the face maps 
Ove ve” (x) are defined if and only if Ope jy (© (x) is defined in X and belongs 
to Xn. We then construct An : Xn —> Y using the unique path property mod- 
ulo confluent homotopy, in a natural way (in the categorical meaning), i.e., such 
that hn © kn = An—1, where Kn : Xn-1 —> Xn is the inclusion. h is then the 
inductive limit of those hn. This proof can be seen as a small object argument. 


5.3 The Unfolding Is Universal 


As an application of the previous theorem, we would like to prove that the 
unfolding is universal. As in the case of covering spaces in algebraic topology, a 
covering corresponds to a partial unrolling of a system, in the sense that we can 
unroll some loops or even partially unroll a loop (imagine for example executing 
a few steps of a while-loop). In this sense, we can describe the fact that a covering 
unrolls more than another one, and that, an unfolding is a complete unrolling: 
since the domain is a tree, it is impossible to unroll more. Actually, much as the 
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topological and the groupoidal cases (see [18] for example), unfoldings are the 
only such maximal unrollings among coverings: they are initial among coverings, 
that is why we call them ‘universal’. In a way, this says that our definition of 
unfolding is the only reasonable one. Concretely, we say that a PSy-covering is 
universal if its domain is a tree. 


Corollary 2. If f: Y — X is a universal covering, then for every covering 
g: Z — X there is a unique map h: Y — X such that f = go h. Further- 
more, h is itself a covering. Consequently, the universal covering is unique up-to 
isomorphism, and is given by the unfolding. 


This whole story is similar to the universal covering of a topological space: 
just replace pHDA by spaces and trees by simply-connected spaces [2]. 


6 Conclusion and Future Work 


In this paper, we have given a cleaner definition of partial precubical sets and 
partial Higher Dimensional Automata, as they really correspond to collections 
of cubes with missing faces. From this categorical definition, we derived that 
pHDA can be completed, giving rise to a geometric realisation. We also describe 
the first premisses of a homotopy theory of the concurrency of pHDA where the 
cofibrant objects are trees, and replacement is the unfolding. As a future work, 
we could look at wider class of paths, typically allowing shortcuts as paths, or 
introducing general homotopies in the path category, which is possible because 
we can encode those inside the category of pHDA. Another direction would be 
to continue the description of this homotopy theory, to see if it corresponds to 
some kind of Quillen’s model structure, or at least to some weaker version (e.g., 
category of cofibrant objects). 
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Abstract. This paper investigates the satisfiability problem for Sepa- 
ration Logic with k record fields, with unrestricted nesting of separating 
conjunctions and implications, for prenex formule with quantifier prefix 
3*V*. In analogy with first-order logic, we call this fragment Bernays- 
Sch6nfinkel-Ramsey Separation Logic [BSR(SL*)]. In contrast to existing 
work in Separation Logic, in which the universe of possible locations is 
assumed to be infinite, both finite and infinite universes are considered. 
We show that, unlike in first-order logic, the (in)finite satisfiability prob- 
lem is undecidable for BSR(SL”). Then we define two non-trivial subsets 
thereof, that are decidable for finite and infinite satisfiability respectively, 
by controlling the occurrences of universally quantified variables within 
the scope of separating implications, as well as the polarity of the occur- 
rences of the latter. Beside the theoretical interest, our work has natural 
applications in program verification, for checking that constraints on the 
shape of a data-structure are preserved by a sequence of transformations. 


1 Introduction 


Separation Logic [10,14], or SL, is a logical framework used in program ver- 
ification to describe properties of the dynamically allocated memory, such as 
topologies of data structures (lists, trees), (un)reachability between pointers, 
etc. In a nutshell, given an integer k > 1, the logic SL’ is obtained from the first- 
order theory of a finite partial function h : U — U* called a heap, by adding two 
substructural connectives: (i) the separating conjunction 1 * %2, that asserts a 
split of the heap into disjoint heaps satisfying ¢; and ¢2 respectively, and (ii) 
the separating implication or magic wand ¢1 —* $2, stating that each extension 
of the heap by a heap satisfying ¢, must satisfy @2. Intuitively, U is the universe 
of possible of memory locations (cells) and & is the number of record fields in 
each memory cell. 

The separating connectives * and -* allow concise definitions of program 
semantics, via weakest precondition calculi [10] and easy-to-write specifications 
of recursive linked data structures (e.g. singly- and doubly-linked lists, trees with 
linked leaves and parent pointers, etc.), when higher-order inductive definitions 
are added [14]. Investigating the decidability and complexity of the satisfiability 
© The Author(s) 2019 
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problem for fragments of SL is of theoretical and practical interest. In this paper, 
we consider prenex SL formule with prefix 4*V*. In analogy with first-order logic 
with equality and uninterpreted predicates [12], we call this fragment Bernays- 
Schénfinkel-Ramsey SL [BSR(SL")]. 

As far as we are aware, all existing work on SL assumes that the universe (set 
of available locations) is countably infinite. This assumption is not necessarily 
realistic in practice since the available memory is usually finite, although the 
bound depends on the hardware and is not known in advance. The finite universe 
hypothesis is especially useful when dealing with bounded memory issues, for 
instance checking that the execution of a program satisfies its postcondition, 
provided that there are sufficiently many available memory cells. In this paper 
we consider both the finite and infinite satisfiability problems. We show that 
both problems are undecidable for BSR(SL”) (unlike in first-order logic) and 
that they become PSPACE-complete under some additional restrictions, related 
to the occurrences of the magic wand and universal variables: 


1. The infinite satisfiability problem is PSPACE-complete if the positive occur- 
rences of — (i.e., the occurrences of -* that are in the scope of an even number 
of negations) contain no universal variables. 

2. The finite satisfiability problem is PSPACE-complete if there is no positive 
occurrence of -* (i.e., æ> only occurs in the scope of an odd number of 
negations). 


Reasoning on finite domains is more difficult than on infinite ones, due to pos- 
sibility of asserting cardinality constraints on unallocated cells, which explains 
that the latter condition is more restrictive than the former one. Actually, the 
finite satisfiability problem is undecidable even if there is only one positive occur- 
rence of a = with no variable within the scope of =. These results establish sharp 
decidability frontiers within BSR(SL*). 

Undecidability is shown by reduction from BSR first-order formule with two 
monadic function symbols. To establish the decidability results, we first show 
that every quantifier-free SL formula can be transformed into an equivalent 
boolean combination of formulee of some specific patterns, called test formule. 
This result is interesting in itself, since it provides a precise and intuitive char- 
acterization of the expressive power of SL: it shows that separating connectives 
can be confined to a small set of test formulae. Afterward, we show that such test 
formule can be transformed into first-order formule. If the above conditions (1) 
or (2) are satisfied, then the obtained first-order formule are in the BSR class, 
which ensures decidability. The PSPACE upper-bound relies on a careful analy- 
sis of the maximal size of the test formulze. The analysis reveals that, although 
the boolean combination of test formulæ is of exponential size, its components 
(e.g., the conjunctions in its dnf) are of polynomial size and can be enumerated 
in polynomial space. For space reasons, full details and proofs are given in a 
technical report [8]. 


Applications. Besides theoretical interest, our work has natural applications in 
program verification. Indeed, purely universal SL formulee are useful to express 
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pre- or post-conditions asserting “local” constraints on the shape of the data 
structures manipulated by a program. Consider the atomic proposition x > 
(y1,---;Yk) which states that the value of the heap at x is the tuple (y1,..., Yk) 
and there is no value, other than a, in the domain of h. With this in mind, the 
following formula describes a well-formed doubly-linked list: 


Vx1, £2, L3, L4, £5 . £1 | (£2, £3) * LQ | (z4, £5) x T > z5 X £1 A oT3 X T4 (1) 


Such constraints could also be expressed by using inductively defined predicates, 
unfortunately checking satisfiability of SL formulæ, even of very simple fragments 
with no occurrence of — in the presence of user-defined inductive predicates is 
undecidable, unless some rather restrictive conditions are fulfilled [9]. In contrast, 
checking entailment between two universal formule boils down to checking the 
satisfiability of a BSR(SL") formula, which can be done thanks to the decidability 
results in our paper. 

The separating implication (magic wand) seldom occurs in such shape con- 
straints. However, it is useful to describe the dynamic transformations of the 
data structures, as in the following Hoare-style axiom, giving the weakest pre- 
condition of Vu . w with respect to redirecting the i-th record field of x to z 
[10]: 


{x (y1,---5 Yk) * X= (Yi, +. +5 Yi-15Z5 Yields +5 Ye) *VU. Y]} x.i := z {Vu . yY} 


It is easy to check that the precondition is equivalent to the formula Vu . x —> 
(Y1,---5 Yk) * X => (Y1,---;Yi-15Z; Yit1,---> Yk) — Y] because, although hoist- 
ing universal quantifiers outside of the separating conjunction is unsound in 
general, this is possible here due to the special form of the left-hand side 
x => (Y1,---;Yi-1,Z,---,Yk) Which unambiguously defines a single heap cell. 
Therefore, checking that Vu . w is an invariant of the program statement x.i := z 
amounts to checking that the formula Vu . y A Ju . [xk > (y1,---, Yk) * (KK 
(Y1,-+-,Yi-1;Z,-+-,Yk) ~ W)] is unsatisfiable. Because the magic wand occurs 
negated, this formula falls into a decidable class defined in the present paper, for 
both finite and infinite satisfiability. The complete formalization of this deductive 
program verification technique and the characterization of the class of programs 
for which it is applicable is outside the scope of the paper and is left for future 
work. 


Related Work. In contrast to first-order logic for which the decision prob- 
lem has been thoroughly investigated [1], only a few results are known for SL. 
For instance, the problem is undecidable in general and PSPACE-complete for 
quantifier-free formulee [4]. For k = 1, the problem is also undecidable, but it 
is PSPACE-complete if in addition there is only one quantified variable [6] and 
decidable but nonelementary if there is no magic wand [2]. In particular, we 
have also studied the prenex form of SL' [7] and found out that it is decidable 
and nonelementary, whereas BSR(SL') is PSPACE-complete. In contrast, in this 
paper we show that undecidability occurs for BSR(SL*), for k > 2. 

Expressive completeness results exist for quantifier-free SL’ [2, 11] and for Su 
with one and two quantified variables [5,6]. There, the existence of equivalent 
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boolean combinations of test formulze is shown implicitly, using a finite enumer- 
ation of equivalence classes of models, instead of an effective transformation. 
Instead, here we present an explicit equivalence-preserving transformation of 
quantifier-free SL” into boolean combinations of test formule, and translate the 
latter into first-order logic. Further, we extend the expressive completeness result 
to finite universes, with additional test formule asserting cardinality constraints 
on unallocated cells. 

Another translation of quantifier-free SL” into first-order logic with equality 
has been described in [3]. There, the small model property of quantifier-free SL“ 
[4] is used to bound the number of first-order variables to be considered and the 
separating connectives are interpreted as first-order quantifiers. The result is an 
equisatisfiable first-order formula. This translation scheme cannot be, however, 
directly applied to BSR(SL*), which does not have a small model property, being 
moreover undecidable. Theory-parameterized versions of BSR(SL*) have been 
shown to be undecidable, e.g. when integer linear arithmetic is used to reason 
about locations, and claimed to be PSPACE-complete for countably infinite and 
finite unbounded location sorts, with no relation other than equality [13]. In the 
present paper, we show that this claim is wrong, and draw a precise chart of 
decidability for both infinite and finite satisfiability of BSR(SL’). 


2 Preliminaries 


Basic Definitions. Let Z. = ZU {oo} and Nx = NU {oo}, where for each 
n € Z we have n+ co = œ and n < œo. For a countable set S we denote by 
\|S|| E Noo the cardinality of S. Let Var be a countable set of variables, denoted 
as x,y,z and U be a sort. Vectors of variables are denoted by x, y, etc. A function 
symbol f has #(f) > 0 arguments of sort U and a sort o(f), which is either the 
boolean sort Bool or U. If #(f) = 0, we call f a constant. We use L and T for 
the boolean constants false and true, respectively. First-order (FO) terms t and 
formule y are defined by the following grammar: 


tal f...t) ge LlTltetlet....t)|erglwlis.¢ 
= — 


yt 
— 


#(f) #(p) 


where x € Var, f and p are function symbols, o(f) = U and o(p) = Bool. 
We write p1 V p2 for -(-¢1 A +92), Y1 > P2 for -Y1 V P2, $1 S P2 for 
pı > p2 ^ P2 > Yı and Vz. y for ada . ay. The size of a formula vy, denoted as 
size(y), is the number of symbols needed to write it down. Let var(y) be the set 
of variables that occur free in y, i.e. not in the scope of a quantifier. A sentence p 
is a formula where var(y) = 0. 

First-order formule: are interpreted over FO-structures (called structures, 
when no confusion arises) S = (U, s,i), where 4 is a countable set, called the 
universe, the elements of which are called locations, 5s : Var — U is a mapping of 
variables to locations, called a store and i interprets each function symbol f by a 
function fi : u#) — 4, if o(f) =U and fi: LAY) — {1', T+} if o(f) = Bool. 
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A structure (L,s,i) is finite when ||L|| € N and infinite otherwise. We write 
S |H y iff y is true when interpreted in S. This relation is defined recursively 
on the structure of y, as usual. When S — y, we say that S is a model of y. 
A formula is [finitely] satisfiable when it has a [finite] model. We write y1 = p2 
when (L,5,1) = yi = (U, 5,1) | p2, for every structure (U, 5, i). 

The Bernays-Schénfinkel-Ramsey fragment of FO, denoted by BSR(FO), is 
the set of sentences 4x1... JLnVYYy1 . . -VYm . p, where y is a quantifier-free formula 
in which all function symbols f of arity #(f) > 0 have sort o(f) = Bool. 


Separation Logic. Let k be a strictly positive integer. The logic SL’ is the set 
of formulze generated by the grammar: 


g:=1l|Tlemp|zxyl|rr (y. y |PAV| “Vl eryely+*y| dz. 


where 2,Y,Y1,---;Yk © Var. The connectives x and -* are respectively called 
the separating conjunction and separating implication (magic wand). We write 
pı — p2 for a(~1 ~> a2) (— is called septraction). The size and set of free 
variables of an SL’ formula y are defined as for first-order formulze. 

Given an SL’ formula @ and a subformula w of ¢, we say that w occurs at 
polarity p E€ {—1,0,1} iff one of the following holds: (i) ¢ = w and p = 1, (ii) 
$ = 7d, and w occurs at polarity —p in ¢1, (iii) ¢ = d, A 2 or d = $1 * $2, and 
w occurs at polarity p in ¢;, for some i = 1, 2, or (iv) 6 = ¢, -* 2 and either w is 
a subformula of ¢, and p = 0, or w occurs at polarity p in $2. A polarity of 1,0 
or —1 is also referred to as positive, neutral or negative, respectively. Note that 
our notion of polarity is slightly different than usual, because the antecedent 
of a separating implication is of neutral polarity while the antecedent of an 
implication is usually of negative polarity. This is meant to strengthen upcoming 
decidability results, see Remark 2. 

SL’ formule are interpreted over SL-structures I = (U, 5,5), where U and 
s are as before and h : U —fin U* is a finite partial mapping of locations to 
k-tuples of locations, called a heap. As before, a structure (U, 5,4) is finite when 
\|S|| € N and infinite otherwise. We denote by dom(h) the domain of the heap 
h and by ||| € N the cardinality of dom(h). Two heaps bı and hz are disjoint 
iff dom(h,) N dom(h2) = 9, in which case hi W hz denotes their union. A heap b’ 
is an extension of h by b” iff h’ = h w b”. The relation (U,s,h) = y is defined 
inductively, as follows: 


(u, 5,5) = emp @bh=0 

(5,6) = £> (yi,.--, Ye) © 6 = {(5(x), (s(y1),---.8(Ye)))} 

(U, 5,6) H| p1 * po <> there exist disjoint heaps hı, h2 such that h = hi W h2 
and (U, s,b:) =| yi, fori = 1,2 

(U, s,b) H= yi -* p2 <$ for all heaps h’ disjoint from h such that (U,5,6’) = p1 


we have (U, s, b wb’) E yo 


The semantics of equality, boolean and first-order connectives is the usual one. 
Satisfiability, entailment and equivalence are defined for SL’ as for FO formule. 
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The Bernays-Schonfinkel-Ramsey fragment of SL”, denoted by BSR(SL‘), is 
the set of sentences 4x ,...4da,Vy1...VYm . $, where ¢ is a quantifier-free T 
formula. Since there is no function symbol of arity greater than zero in SL", there 
is no restriction, other than the form of the quantifier prefix defining BSR(SL" ). 


3 Test Formule for SL’ 


We define a small set of SL“ patterns of formulae, possibly parameterized by a 
positive integer, called test formule. These patterns capture properties related 
to allocation, points-to relations in the heap and cardinality constraints. 


Definition 1. The following patterns are called test formule: 


roy farrvy«Tt U| >n ST |h] >n, neN 
alloc(z) =a (z,...,c)%L [hl >|U)—n = |Al>n+1+*tneNn 
eY~Y—’ 
k times 
|h| >n—1%* emp, ifn > 0 
tay hl >nž Ths ifn=0 


all ifn = oo 
where x,y € Var, y € Var" and n € Nx is a positive integer or oo. 


The semantics of test formule is very natural: xv —> y means that x points 
to vector y, alloc(x) means that «x is allocated, and the arithmetic expressions 
are interpreted as usual, where |h| and |U| respectively denote the number of 
allocated cells and the number of locations (possibly oo). Formally: 


Proposition 1. Given an SL-structure (U,s,), the following equivalences hold, 
for all variables £,y1,..., Yk E€ Var and integers n € N: 


(8,5) = z >y & b(s(x)) =s(y) (4,5,5) = |A| > |U] -n & |I5]| > lul] -n 


(4,5,5) = |U] > n & |U] >n (4s,b) F h >ne |b| >n 
(4,s,b) H alloc(x) = s(x) € dom(h) 


Not all atoms of SL” are test formule, for instance x +> y and emp are not test 
formulee. However, by Proposition 1, we have the equivalences xz + y= xz @ 
y \-|h| > 2 and emp = —|h| > 1. Note that, for any n € N, the test formulee 
|U| > n and |h| > |U|— n are trivially true and false respectively, if the universe 
is infinite. We write t < u for ~(t > u). 

We need to introduce a few notations useful to describe upcoming transfor- 
mations in a concise and precise way. A literal is a test formula or its negation. 
Unless stated otherwise, we view a conjunction T of literals as a set? and we use 
the same symbol to denote both a set and the formula obtained by conjoining 
the elements of the set. The equivalence relation x ~r y is defined as T H xy 
and we write x Ær y for T = 7x ~ y. Observe that x %r y is not the com- 
plement of x ~r y. For a set X of variables, |X |p is the number of equivalence 
classes of ~r in X. 


1 The empty set is thus considered to be true. 
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Definition 2. A variable x is allocated in an SL-structure T iff T = alloc(x). 


def 


For a set of variables X C Var, let alloc(X) = Agex alloc(x) and nalloc(X) = 
Nzex ~alloc(x). For a set T of literals, let: 


a(T)= {xe Var| «xp x’, TA {alloc(2’), 2’ oy | y € Var*} #0} 
nv(T) = {x € Var |x ær a’, -alloc(x’) € T} 
foy(T) = TN {alloc(x), salloc(x),a > y, n£ y | z € X,y € Var" } 


We let #a(T) = |av(T)|p be the number of equivalence classes of %r containing 


variables allocated in every model of T and #n(X,T) = |X Anv(T )|p be the 


number of equivalence classes of ~r containing variables from X that are not 
def 


allocated in any model of T. We also let fp (T) = fpawry(T)- 


Intuitively, av(T) [nv(T)] is the set of variables that must be [are never] allocated 
in every [any] model of T, and fpx(T) is the footprint of T relative to the set 
X C Var, ie. the set of formulze describing allocation and points-to relations 
over variables from X. For example, if T = {x ~ z, alloc(x), salloc(y), az > y}, 
then av(T) = {x, z}, nv(T) = {y}, fpa(T) = {alloc(x), =z > y} and fpr) (T) = 
{nalloc(y)}. 


3.1 From Test Formulze to FO 


The introduction of test formule (Definition 1) is motivated by the reduction of 
the (in)finite satisfiability problem for quantified boolean combinations thereof 
to the same problem for FO. The reduction is devised in such a way that the 
obtained formula is in the BSR class, if possible. Given a quantified boolean 
combination of test formulee ¢, the FO formula t(¢) is defined by induction on 
the structure of ¢: 


u(|h| > n) = an t(|U| > n) = bp 

t(l] > |U| — n) Š ens t(7¢1) = >1(¢1) 
t(x > y) = p(c,y1,..-,yx) talloc(z)) = Fy... dyn . p(w, ys... Yk) 
t(1 A p2) = (Q1) At($2) (Ae . 61) = Ix . (1) 


Urey) Sary 


where p is a (k + 1)-ary function symbol of sort Bool and a,,6, and cn are 
constants of sort Bool, for all n € N. These function symbols are related by the 
following axioms, where un, Yn and tv, are constants of sort U, for all n > 0: 


a Anu) 
A Vay . Lan A Pla) > V 
b, — b Ah a has 
Bo:b Bn: n n i=1 i n 
ae poke > V; Tira v \ 
Co : €o Chi VY . En > Cn—1 Amp (Op, y) A Atay wn ~ tw; 
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Intuitively, p encodes the heap and an (resp. bn) is true iff there are at least n 
cells in the domain of the heap (resp. in the universe), namely u1, ..., Un (resp. 
01,...,0,). If cn is true, then there are at least n locations tv,,..., tv, outside 
of the domain of the heap (free), but the converse does not hold. The Cn axioms 
do not state the equivalence of cn with the existence of at least n free locations, 
because such an equivalence cannot be expressed in BSR(FO)?. As a consequence, 
the transformation preserves sat-equivalence only if the formule |A| > |U| — n 
occur only at negative polarity (see Lemma 1, Point 2). If the domain is infinite 
then this problem does not arise since the formule |A| > |U|— n are always false. 


Definition 3. For a quantified boolean combination of test formule o, we let 
N (Q) be the maximum integer n occurring in a test formula 6 of the form |h| > n, 
|U] > n, or |h] > |U|—n from ¢ and define A(d) Č {P}U{ A} U {BM U 
{C; E as the set of axioms related to . 

The relationship between ¢ and t(¢@) is stated below. 


Lemma 1. Let ¢ be a quantified boolean combination of test formula. The fol- 
lowing hold, for any universe U and any store s: 


1. if (L45,6) H| ¢, for a heap h, then (U,5,i) H| t(¢) A A(), for an interpreta- 
tion 1; 

2. if each test formula |h| > |U| — n in @ occurs at a negative polarity and 
(L,5,i) H= t(¢) A A(d) for an interpretation i such that ||p'|| € N, then 
(5,9) H ¢, for a heap b. 


The translation of alloc(x) introduces existential quantifiers depending on zx. 
For instance, Vz . alloc(x) is translated as Vay, .. . Iyk . p(@,y1,---, Yk), which 
lies outside of the BSR(FO) fragment. Because upcoming decidability results 
(Theorem 2) require that t(¢) be in BSR(FO), we end this section by delimiting 
a fragment of SL” whose translation falls into BSR(FO). 


Lemma 2. Given an SL" formula p = Vz,...VZm . @, where @ is a boolean 
combination of test formule containing no positive occurrence of alloc(z;) for 
any i € [1,m], t(y) is equivalent (up to transformation into prenex form) to a 
BSR(FO) formula with the same constants and free variables as t(y). 


Intuitively, if a formula alloc(x) occurs negatively then the quantifiers dy, . 
dy; added when translating alloc(#) can be transformed into universal ones by 
transformation into nnf, and if x is not universal then they may be shifted at 
the root of the formula since y1,..., Yk depend only on x. In both cases, the 
quantifier prefix 4*V* is preserved. 


2 The converse of Cy: Va . (nen A Yy . =pl, y)) > VII} x ~ w; is not in BSR(FO). 


250 M. Echenim et al. 


4 From Quantifier-Free SL’ to Test formulze 


This section states the expressive completeness result of the paper, namely that 
any quantifier-free SL’ formula is equivalent, on both finite and infinite mod- 
els, to a boolean combination of test formule. Starting from a quantifier-free 
SL! formula y, we define a set p(y) of conjunctions of test formule and their 
negations, called minterms, such that y = V m culo) M. Although the number of 
minterms in 44(y) is exponential in the size of y, checking the membership of a 
given minterm M in p(y) can be done in PSPACE. Together with the translation 
of minterms into FO (Sect.3.1), this fact is used to prove PSPACE membership 
of the two decidable fragments of BSR(SL"), defined next (Sect. 5.2). 


4.1 Minterms 


A minterm M is a set (conjunction) of literals containing: exactly one literal 
|h| > minm and one literal |h| < maxm, where minm € NU {|U| —n|n € N} 
and maxy E€ NU{|U| — n | n € N}, and at most one literal of the form |U] > n, 
respectively |U| < n. 

A minterm may be viewed as an abstract description of a heap. The con- 
ditions are for technical convenience only and are not restrictive. For instance, 
tautological test formule of the form |A| > 0 and/or |h| < oo may be added 
if needed so that the first condition holds. If M contains two literals t > nı 
and t > ng with ny < ng and t € {|h|,|U|} then t > nı is redundant and 
can be removed — and similarly if M contains literals |h| > |U| — nı and 
|A| > |U| — n2. Heterogeneous constraints are merged by performing a case split 
on the value of |U|. For example, if M contains both |A| > |U| — 4 and |A] > 1, 
then the first condition prevails if |U| > 5 yielding the equivalence disjunction: 
|h| > LA|U| < 5V|h| > |U|—4A |U| > 5. Thus, in the following, we assume that 
any conjunction of literals can be transformed into a disjunction of minterms [8]. 


Definition 4. Given a minterm M, we define the sets: 


M° 2 MNA {x xy, ne x y | x,y € Var} M° Ž MA {alloc(x), 7alloc(x) | x € Var} 
M* Ž MNA {|U| >n, |U|<n|nEN} M? Ë MNA{zr >y, 7r > y | x,y € Vart} 


Thus, M = M°U M“uU M“UMPU{|h| > miny, |h| < maxm }, for each minterm 
M. Given a set of variables X C Var, a minterm M is (1) E-complete for X iff for 
all x,y € X exactly one of z ~ y E€ M, ~x ~ y E€ M holds, and (2) A-complete 
for X iff for each z € X exactly one of alloc(x) € M, ~alloc(x) € M holds. 


For a literal £, we denote by £ its complement, i.e. 6 = 0 and 30 = 0, where 
9 is a test formula. Let M be the minterm obtained from M by replacing each 


literal with its complement. The complement closure of M is cc(M) = M U M. 


Two tuples y,y’ € Var" are M-distinct if yi #11 yl, for some i € [1, k]. Given a 

minterm M that is E-complete for var(M), its points-to closure is pc(M) = 1 

if there exist literals x > y, x’ —> y’ E€ M such that x xm 2’ and y, y’ are M- 
def 


distinct, and pc(M) = M, otherwise. Intuitively, pc(M/) is L iff M contradicts the 
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fact that the heap is a partial function®. The domain closure of M is dc(M) = L 
if either minm = nı and maxjy = nə for some n1, nə E€ Z such that nı > nea, or 
minm = |U| — nı and maxy = |U| — ne, where ng > nı; and otherwise: 


MU {|U| > | ¥/maxzeawm (s (M) + 1)]} 
U{JU| > ni +n24+1| minm = nı, maxm = |U| — n2,n1, n2 E N} 
U{|U| < ni + no | miny = |U] — n1, max m = no, ni; n2 E N} 


def 


dc(M) = 


where 6,(M) is the number of pairwise M-distinct tuples y for which there exists 
aa’ y E€ M such that x ~m x’. Intuitively, dc(M) asserts that miny < maxm 
and that the domain contains enough elements to allocate all cells. Essentially, 
given a structure (U,s,4), if h(a) is known to be defined and distinct from n 
pairwise distinct vectors of locations v1,...,Vn, then necessarily at least n + 1 
vectors must exist. Since there are ||L{\|" vectors of length k, we must have ||S\|" > 
n+ 1, hence ||U]| > Yn + 1. For instance, if M = {=r —> yj, alloc(x), y: % yz | 
i,j € [1, n], i Æ j}, then it is clear that M is unsatisfiable if there are less than 
n locations, since x cannot be allocated in this case. 


Definition 5. A minterm M is footprint-consistent* if for all x,x' € Var and 
y,y’ € Var", such that x %y x! and yi %m yl for alli € [1,k], we have (1) if 
alloc(x) € M then ~alloc(x') g M, and (2) ifa => y E€ M then 7alloc(x’), aa’ —> 
y gM. 

We are now ready to define a boolean combination of test formulæ that is 
equivalent to Mı x Mz, where Mı and Mə are minterms satisfying a number 
of additional conditions. Let npto(Mı, M2) = (Mı N M) N {ar > y | a ¢ 
av(Mı U M2), y € Var"} be the set of negative points-to literals common to Mı 
and Mə, involving left-hand side variables not allocated in either Mı or Mə. 


Lemma 3. Let Mı, Mə be two footprint-consistent minterms that are and 
E-complete for var(Mı U M3), with cc(M?) = cc(M}). Then Mı * My = 
elim, (Mı, M2), where 


elim, (M1, Mz) = ME A M$ A de( M1)” A de( M2)” A (2) 

A ex yA fpa( Mi) A fpa( M2) A (3) 
xEav(Mı), yE€av(Mə2) 

nalloc(nv( M1) N nv(M2)) A npto( Mı, M2) A (4) 

|h| > minm, +miny, ^ |h| < maxm, +maxy, — 1 (5) 

A m2 ^na (6) 

. h| > #a(M;) + |Y|,,. + minm, 
d qij = lloc(Y | pa ei Mi ij, 
and nij = NycoviM;)\av(my alloc(Y) > (| #a(Mi) + |Y lu, < maxu, 


3 Note that we do not assert the equality y ~ y’, instead we only check that it is not 
falsified. This is sufficient for our purpose because in the following we always assume 
that the considered minterms are E-complete. 

t Footprint-consistency is a necessary, yet not sufficient, condition for satisfiability of 
minterms. For example, the minterm M = {xz > y,2' > y', ny xy’, |h| < 2} is at 
the same time footprint-consistent and unsatisfiable. 
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Intuitively, if Mı and Mə hold separately, then all heap-independent literals from 
Mı U Mə must be satisfied (2), the variables allocated in Mı and Mə must be 
pairwise distinct and their footprints, relative to the allocated variables, jointly 
asserted (3). Moreover, unallocated variables on both sides must not be allocated 
and common negative points-to literals must be asserted (4). Since the heap 
satisfying elim,.(14, M2) is the disjoint union of the heaps for Mı and Mg, its 
bounds are the sum of the bounds on both sides (5) and, moreover, the variables 
that Mə never allocates [nv(M2)| may occur allocated in the heap of Mı and 
viceversa, thus the constraints 72 and 721, respectively (6). 

Next, we show a similar result for the separating implication. For technical 
convenience, we translate the septraction Mı — Mo, instead of Mı => Mə, as an 
equivalent boolean combination of test formulze. This is without loss of general- 
ity, because Mı = Mz = =(M, — >Mz2). Unlike with the case of the separating 
conjunction (Lemma 3), here the definition of the boolean combination of test 
formulee depends on whether the universe is finite or infinite. 

If the complement of some literal Z € fp,(M1) belongs to Mə then no exten- 
sion by a heap that satisfies 2 may satisfy 4. Therefore, as an additional sim- 
plifying assumption, we suppose that fp,(M1) O Mə = Ý, so that Mı — Mg is 
not trivially unsatisfiable. We write ¢ ="" y [p =" p] if @ has the same truth 
value as ~ in all finite [infinite] structures. 


Lemma 4. Let Mı and Mə be footprint-consistent minterms that are E- 
complete for var(Mı U M2), such that: M, is A-complete for var(Mı U Mə), 
M$ U MẸ C cc(M¢¥ U MP) and fp,( M1) O M: = 0. 

Then, Mı -0 My =f” elim” (Mı, My) and M, — My =*¥ elim”? (My, Mp), 
where: 


elim? (M1, Mz) = pc(M,)° A M$ A de(M1)“ A de( M2)” A (7) 
nalloc(av(M1)) A fPnvem ) (M2) A (8) 
|h| > minm, — maxm, +1 |h| < maxm, — minm, (9) 
A (10) 


with 
fin def |A| < |U] = minm, = Hn lY, Mı) +1 
a Aycvar(aiuma) Malloc(Y) — (‘ |U] > minm, + #n(¥Y, Mı) i 


pinf ET, 


A heap satisfies Mı — Mə iff it Hoh an extension, by a disjoint heap satisfying 
M,, that satisfies M2. Thus, elim! 1 (Mı, Mz) must entail the heap-independent 
literals of both A and Mə (7). Next, no variable allocated by Mı must be 
allocated by elim! ' (Mı, M2), otherwise no extension by a heap satisfying Mı is 
possible and, moreover, the footprint of Mə relative to the unallocated variables 
of Mı must be asserted (8). The heap’s cardinality constraints depend on the 
bounds of M; and Mz (9) and, if Y is a set of variables not allocated in the heap, 
these variables can be allocated in the extension (10). Actually, this is where the 
finite universe assumption first comes into play. If the universe is infinite, then 
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there are enough locations outside the heap to be assigned to Y. However, if the 
universe is finite, then it is necessary to ensure that there are at least #n(Y, M1) 
free locations to be assigned to Y (10). 


4.2 Translating Quantifier-Free SL” into Minterms 


We prove next that each quantifier-free SL? formula is equivalent to a finite 
disjunction of minterms: 


Lemma 5. Given a quantifier-free SL formula o, there exist two sets of 
minterms u% (ġ) and w'"(d) such that the following equivalences hold: (1) 
6 = V meum) My and (2) $ =" V mepo M- 


The formal definition of u®™” (ġ) and u**(¢ġ) is given in [8] and omitted for the sake 
of conciseness and readability. Intuitively, these sets are defined by induction on 
the structure of the formula. For base cases, the following equivalences are used: 


rey=rcyAlh|e1 emp = |h| ~ 0 cre y=uryA{h| > 0A|hk| < co 


For formule ~y or Y1 A we, the transformation is first applied recursively on Yı 
and w2, then the obtained formula is transformed into dnf. For formulæ Yı * We 
or Yı — Y2, the transformation is applied on yy, and Y2, then the following 
equivalences are used to shift x and — innermost in the formula: 


(01 V $2) * @ = (1 * $) V (p2 * $) (1 V p2) — ¢ = (¢1 — ¢) V (p2 — ¢) 
b* (P1 V $2) = ($ * d1) V ($ * Q2) b — (¢1 V $2) = (6 — ¢1) V (6 — ¢2) 


Afterwards, the operands of x and —o are minterms, and the result is obtained 
using the equivalences in Lemmas 3 and 4, respectively (up to a transformation 
into dnf). The only difficulty is that these lemmas impose some additional con- 
ditions on the minterms (e.g., being E-complete, or A-complete). However, the 
conditions are easy to enforce by case splitting, as illustrated by the following 
example: 


Example 1. Consider the formula x + x — y |> y. It is easy to check that 
w(x = x) = {Mj}, for f € {fin, inf}, where Mı = x > z^ |h| > 1A|h| < 2 and 
u(y y) = {M2}, where Mp = y => y^l|h| > 1A|h| < 2. To apply Lemma 4, we 
need to ensure that M, and Mə are E-complete, which may be done by adding 
either x ~ y or x % y to each minterm. We also have to ensure that M; is A- 
complete, thus for z € {x,y}, we add either alloc(z) or salloc(z) to M4. Finally, 
we must have M$ U MẸ C cc(M?U MP), thus we add either y > y or ~y => 
y to Mı. After removing redundancies, we get (among others) the minterms: 
M} =xroxrAlh| > 1Aļjh|<2Az 7x yand M=yoyAlh| > 1AlaAl < 
2A\x ~ y. Afterwards we compute elim™, (Mj, Ms) = x ~ y^~alloc(£) A|h| > OA 
h| <1. E 

As explained in Sect. 3.1, boolean combinations of minterms can only be 


transformed into sat-equivalent BSR(FO) formulæ if there is no positive occur- 
rence of test formulee |A| > |U|—n or alloc(x) (see the conditions in Lemmas 1 (2) 
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and 2). Consequently, we relate the polarity of these formulee in some minterm 
M € pp" (¢) Up’ (¢) with that of a separating implication within ¢. The analysis 
depends on whether the universe is finite or infinite. 


Lemma 6. For any quantifier-free SLY formula @, the following properties hold: 


1. For all M € pi"! (¢), we have MN {\h| > |U] —n,|h| < |U] -n|neEN}=O. 

2. If\|h| > |U|—n € M /h| < |U|—n € M] for some minterm M € u®™(¢), then 
a formula Ww, —* p2 occurs at a positive [negative] polarity in ¢. 

3. If alloc(x) € M fralloc(x) € M] for some minterm M € u" (d), then a 
formula pı %2, such that x € var(w1)Uvar(t2), occurs at a positive [negative] 
polarity in @. 

4. If M A {alloc(x), ~alloc(x) | x € Var} # 0 for some minterm M € u®(¢), 
then a formula pı > We, such that x € var(w1) U var(Y2), occurs in ġ at 
some polarity p € {—1,1}. Moreover, alloc(x) occurs at a polarity —p, only if 
alloc(x) is in the scope of a A” subformula (10) of a formula elim®™ (M1, M2) 
used to compute V mentro) M. 


Given a quantifier-free SL’ formula ġ, the number of minterms occurring in 
u®™ (o) [w'™ ()] is exponential in the size of ¢, in the worst case. Therefore, an 
optimal decision procedure cannot generate and store these sets explicitly, but 
rather must enumerate minterms lazily. We show that (i) the size of the minterms 
in w"(d) U pw (d) is bounded by a polynomial in the size of ¢, and that (ii) the 
problem “given a minterm M, does M occur in p'"(d) [resp. in py! (¢)/?” is in 
PSPACE. To this aim, we define a measure on a quantifier-free formula ¢, which 
bounds the size of the minterms in the sets u™(ġ) and p'(¢), inductively on 
the structure of the formule: 


a 
E 
= 
a 
Q 
a 


M(x % y) £0 M(1L) £0 
M(emp) = 1 M(z= y) = 2 
M(->¢1) = M(¢1) M(¢1 A 2) = max(M(¢1),M(¢2)) 
M(d1 * 62) = Ei (M (Gi) + ||var(gi)|]) Mli = p2) = Ei (M(o:) + IIvar(¢e)I) 


Definition 6. A minterm M is M-bounded by a formula ¢, if for each literal 
LE M, the following hold: (i) M(£) < M(@) if L€ {|h| > ming, |h| < max m; } 
(ü) M(@) < 2M(¢) +1, if lE {U| > n, |U] <n| ne N}. 


The following lemma provides the desired result: 


Lemma 7. Given a quantifier-free SLX formula 6, each minterm M € u” ($) U 
u™ (o) is M-bounded by ¢. 


The proof goes by a careful analysis of the test formulze introduced in Lemmas 3 
and 4 or created by minterm transformations (see [8] for details). Since M(¢) is 
polynomially bounded by size(¢), this entails that it is possible to check whether 
M € u®™(¢) [resp. p'*(d)] using space bounded also by a polynomial in size(¢). 


Lemma 8. Given a minterm M and an SL* formula ¢, the problems of checking 
whether M € p'"(@) and M € pi (d) are in PSPACE. 
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Remark 1. Observe that the formule elim, (M1, M2) and elim? (Mı, M2) in 
Lemmas3 and 4 are of exponential size, because Y ranges over sets of vari- 
ables. However these formulæ do not need to be constructed explicitly. To check 
that M € p'"(¢) or M € u™!(¢), we only have to guess such sets Y. See [8] for 
details. 


5 Bernays-Schönfinkel-Ramsey SL* 


This section gives the results concerning decidability of the (in)finite satisfi- 
ability problems within the BSR(SL”) fragment. BSR(SL") is the set of sen- 
tences Vy ...Yym . $, where @ is a quantifier-free SL’ formula, with var(¢) = 
{21 ,---,2n,Y1;---;Ym}, where the existentially quantified variables x1,..., Up 
are left free. First, we show that, contrary to BSR(FO), the satisfiability of 
BSR(SL") is undecidable for k > 2. Second, we carve two nontrivial fragments 
of BSR(SL*), for which the infinite and finite satisfiability problems are both 
PSPACE-complete. These fragments are defined based on restrictions of (i) polar- 
ities of the occurrences of the separating implication, and (ii) occurrences of 
universally quantified variables in the scope of separating implications. These 
results draw a rather precise chart of decidability within the BSR(SL") frag- 
ment. For k = 1, the satisfiability problem of BSR(SL’) is in PSPACE [7] (it is 
undecidable for arbitrary SL’ formule: [2] and decidable but nonelementary for 
prenez formule [7]). 


5.1 Undecidability of BSR(SL*) 


Theorem 1. The finite and infinite satisfiability problems are both undecidable 
for BSR(SL’). 


We provide a brief sketch of the proof, see [8] for details. We consider the finite 
satisfiability problem of the [V, (0), (2)]= fragment of FO, which consists of sen- 
tences of the form Vaz . d(x), where ¢ is a quantifier-free boolean combination 
of atomic propositions tı œ% t2, and t,,t2 are terms built using two function 
symbols f and g, of arity one, the variable x and constant c. It is known (see 
e.g. [1, Theorem 4.1.8]) that finite satisfiability is undecidable for [V, (0), (2)]=. 


We reduce this problem to BSR(SL") satisfiability. The idea is to encode the 
value of f and g into the heap, in such a way that every element x points to 
(f(x), g(z)). Given a sentence y = Vx . $(x) in [V, (0), (2)|=, we proceed by first 
flattening each term in ¢ consisting of nested applications of f and g. The result 
is an equivalent sentence Ypra = V%1...V%n . PAat, in which the only terms 
are £i, c, f(xi), glxi), f(c) and g(c), for i € [1,n]. For example, the formula 
Va. f(g(x)) ~ cis flattened into YzıYzə . g(x1) # z2 V f (x2) ~ c. We define the 


following BSR(SL’) sentences Y}, for + € {fin, inf}: 


al Aze > (Ye, Zc) AVa1...VanVy1...VynVz1...Ven . VAN (xi > (yi, zi) > Qa) (11) 

i=l 
with af S Yg . alloc(x) or af” © |h| > |U| —0, aif S VavyVz . x > (y, z) > 
alloc(y) A alloc(z) and @, is obtained from fat by replacing each occurrence 
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of c by ze, each term f(c) [g(c)] by ye [zc] and each term f(x;) [g(xa)] by yi 
[zi]. Intuitively, af” asserts that the heap is a total function, and a’ states 
that every referenced cell is allocated®. It is easy to check that y and y, are 
equisatisfiable. The undecidability result still holds for finite satisfiability if a 
single occurrence of -* is allowed, in a (ground) formula |h| > |U| — 0 (see the 
definition of af” above). 


5.2 Two Decidable Fragments of BSR(SL’) 


The reductions (11) use either positive occurences of alloc(x), where x is uni- 
versally quantified, or test formule: |A| > |U| — n. We obtain decidable subsets 
of BSR(SL") by eliminating the positive occurrences of both (i) alloc(x), with x 
universally quantified, and (ii) |A| > |U|—n, from ut (ġ), where f € {fin, inf} and 
Vy1..-WYm - Q is any BSR(SL”) formula. Note that u** ($) contains no formule 
of the form |A| > |U| — n, which explains why slightly less restrictive conditions 
are needed for infinite structures. 


Definition 7. Given an integer k > 1, we define: 


1. BSR’! (SL*) as the set of sentences Vy, ... Vym . $ such that for alli € [1, m] 
and all formule pı ~> Yə occurring at polarity 1 in }, we have yi £ var(q1) U 
vara), 

2. BSR” (SL?) as the set of sentences Yyı ...Yym . $ such that no formula 
Yı ~ We occurs at polarity 1 in ¢. 


Note that BSR” (SL") ¢ BSR’! (SL*) © BSR(SL*), for any k > 1. 


Remark 2. Because the polarity of the antecedent of a — is neutral, Definition 7 
imposes no constraint on the occurrences of separating implications at the left 


of a -*°®, 


The decidability result of this paper is stated below: 


Theorem 2. For any integer k > 1 not depending on the input, the infinite 
satisfiability problem for BSR’”!/ (SL*) and the finite satisfiability problem for 
BSR!" (SL*) are both PSPACE-complete. 


We provide a brief sketch of the proof (all details are available in [8]). In both 
cases, PSPACE-hardness is an immediate consequence of the fact that the quan- 
tifier-free fragment of SL’, without the separating implication, but with the sepa- 
rating conjunction and negation, is PSPACE-hard [4]. For PSPACE-membership, 
consider a formula y in BSR’ (SL*), and its equivalent disjunction of minterms 
y’ (of exponential size). Lemma 8 gives us an upper bound on the size of test 


5 Note that the two definitions of af” are equivalent. The formula af” is unsatisfiable 
on infinite universes, which explains why the definitions of af” and a’! differ. 

ê The idea is that if a formula alloc(z) or |h| > |U| — n occurs in the antecedent of a 
—, then it will be eliminated by the transformation in Lemma 4. In contrast, such 
test formulze will not be eliminated if they occur in the subsequent of a —. 
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formule in vy’, hence on the number of constant symbols occurring in t(y’). This, 
in turns, gives a bound on the cardinality of the model of t(y’). We may thus 
guess such an interpretation, and check that it is indeed a model of t(y’) by 
enumerating all the minterms in y’ (this is feasible in polynomial space thanks 
to Lemma 8) and translating them on-the-fly into first-order formulæ. The only 
subtle point is that the model obtained in this way is finite, whereas our aim 
is to test that the obtained formula has a infinite model. This difficulty can be 
overcome by adding an axiom ensuring that the domain contains more unallo- 
cated elements than the total number of constant symbols and variables in the 
formula. This is sufficient to prove that the obtained model — although finite 
— can be extended into an infinite model, obtained by creating infinitely many 
copies of these elements. 

The proof for BSR” (SL*) is similar, but far more involved. The problem is 
that, if the universe is finite, then alloc(x) test formulæ may occur at a pos- 
itive polarity, even if every ġı -* ¢2 subformula occurs at a negative polarity, 
due to the positive occurrences of alloc(x) within \/” (10) in the definition of 
elim*, (M1, Mz). As previously discussed, positive occurrences of alloc(a) hinder 
the translation into BSR(FO), because of the existential quantifiers that may 
occur in the scope of a universal quantifier. The solution is to distinguish a 
class of finite structures (U, s, b), the so-called a-controlled structures, for some 
a € N, for which there are locations ¢),...,@ , such that every location @ € U 
is either 4; or points to a tuple from the set {41,..., la, l}. For such structures, 
the formule alloc(a) can be eliminated in a straightforward way because they 
are equivalent to \%_,(a ~ l; — alloc(é;)). If the structure is not a-controlled, 
then we can show that there exist sufficiently many unallocated cells, so that 
all the cardinality constraints of the form |A| < |U| — n or |U| > n are always 
satisfied. This ensures that the truth value of the positive occurrences of alloc() 
are irrelevant, because they only occur in formule Af” that are always true if 
all test formule |h| < |U| — n or |U| > n are true (see the definition of AF” in 
Lemma 4). 


6 Conclusions and Future Work 


We have studied the decidability problem for SL formulze with quantifier prefix 
in the language J*V*, denoted as BSR(SL“). Although the fragment was found to 
be undecidable, we identified two non-trivial subfragments for which the infinite 
and finite satisfiability are PSPACE-complete. These fragments are defined by 
restricting the use of universally quantified variables within the scope of sepa- 
rating implications at positive polarity. The universal quantifiers and separating 
conjunctions are useful to express local constraints on the shape of the data- 
structure, whereas the separating implications allow one to express dynamic 
transformations of these data-structures. As a consequence, separating implica- 
tions usually occur negatively in the formule: tested for satisfiability, and the 
decidable classes found in this work are of great practical interest. Future work 
involves formalizing and implementing an invariant checking algorithm based on 
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the above ideas, and using the techniques for proving decidability (namely the 
translation of quantifier-free SL(k) formule into boolean combinations of test 
formulze) to solve other logical problems, such as frame inference, abduction and 
possibly interpolation. 


Acknowledgments. The authors wish to acknowledge the contributions of Stéphane 
Demri and Etienne Lozes to the insightful discussions during the early stages of this 
work. 
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Abstract. Unordered data Petri nets (UDPN) are an extension of clas- 
sical Petri nets with tokens that carry data from an infinite domain and 
where transitions may check equality and disequality of tokens. UDPN 
are well-structured, so the coverability and termination problems are 
decidable, but with higher complexity than for Petri nets. On the other 
hand, the problem of reachability for UDPN is surprisingly complex, 
and its decidability status remains open. In this paper, we consider the 
continuous reachability problem for UDPN, which can be seen as an 
over-approximation of the reachability problem. Our main result is a 
characterization of continuous reachability for UDPN and polynomial 
time algorithm for solving it. This is a consequence of a combinatorial 
argument, which shows that if continuous reachability holds then there 
exists a run using only polynomially many data values. 


Keywords: Petri nets - Continuous reachability - Unordered data - 
Polynomial time 


1 Introduction 


The theory of Petri nets has been developing since more than 50 years. On one 
hand, from a theory perspective, Petri nets are interesting due to their deep math- 
ematical structure and despite exhibiting nice properties, like being a well struc- 
tured transition system [1], we still don’t understand them well. On the other hand, 
Petri nets are a useful pictorial formalism for modeling and thus found their way 
to the industry. To connect this theory and practice, it would be desirable to use 
the developed theory of Petri nets [2—4] for the symbolic analysis and verification 
of Petri nets models. However, we already know that this is difficult in its full gen- 
erality. It suffices to recall two results that were proved more than 30 years apart. 
An old but classical result by Lipton [5] shows that even coverability is ExpSpace- 
hard, while the non-elementary hardness of the reachability relation has just been 
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established this year [6]. Moreover, when we look at Petri nets based formalisms 
that are needed to model various aspects of industrial systems, we see that they go 
beyond the expressivity of Petri nets. For instance, colored Petri nets, which are 
used in modeling workflows [7], allow the tokens to be colored with an infinite set 
of colors, and introduce a complex formalism to describe dependencies between 
colors. This makes all verification problems undecidable for this generic model. 
Given the basic nature and importance of the reachability problem in Petri nets 
(and its extensions), there have been several efforts to sidestep the complexity- 
theoretic hardness results. One common approach is to look for easy subclasses 
(such as bounded nets [8], free-choice nets [9] etc.). The other approach, which we 
adopt in this work, is to compute over-approximations of the reachability relation. 


Continuous Reachability. A natural question regarding the dynamics of a Petri 
net is to ask what would happen if tokens instead of behaving like discrete units 
start to behave like a continuous fluid? This simple question led to an elegant 
theory of so-called continuous Petri nets [10-12]. Petri nets with continuous 
semantics allow markings to be functions from places to nonnegative rational 
numbers (i.e., in Q?) instead of natural numbers. Moreover, whenever a tran- 
sition is fired a positive rational coefficient is chosen and both the number of 
consumed and produced tokens are multiplied with the coefficient. This allows 
to split tokens into arbitrarily small parts and process them independently. This 
may occur, e.g., in applications related to hybrid systems where the discrete part 
is used to control the continuous system [13,14]. Interestingly, this makes things 
simpler to analyze. For example reachability under the continuous semantics for 
Petri nets is PTime-complete [11]. However, when one wants to analyze exten- 
sions of Petri nets, e.g., reset Petri nets with continuous semantics, it turns out 
that reachability is as hard as reachability in reset Petri nets under the usual 
semantics i.e. it is undecidable!. In this paper we identify an extension of Petri 
nets with unordered data, for which this is not the case and continuous semantics 
leads to a substantial reduction in the complexity of the reachability problem. 


Unordered Data Petri Nets. The possibility of equipping tokens with some addi- 
tional information is one of the main lines of research regarding extensions of Petri 
nets, the best known being Colored Petri nets [15] and various types of timed Petri 
nets [16,17]. In [18] authors equipped tokens with data and restricted interactions 
between data in a way that allow to transfer techniques for well structured transi- 
tion systems. They identified various classes of nets exhibiting interesting combi- 
natorial properties which led to a number of results [19-23]. Unordered Data Petri 
Nets (UDPN), are simplest among them: every token carries a single datum like a 
barcode and transitions may check equality or disequality of data in consumed and 
produced tokens. UDPN are the only class identified in [18] for which the reacha- 
bility is still unsolved, although in [20] authors show that the problem is at least 
Ackermannian-hard (for all other data extensions, reachability is undecidable). 
A recent attempt to over-approximate the reachability relation for UDPN in [22] 


1 This can be seen on the same lines as the proof of undecidability of continuous 
reachability for Petri nets with zero tests [12]. 
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considers integer reachability i.e. number of tokens may get negative during the 
run (also called solution of the state equation). From the above perspective, this 
paper is an extension of the mentioned line of research. 


Our Contribution. Our main contribution is a characterization of continuous 
reachability in UDPN and a polynomial time algorithm for solving it. Observe 
that if we find an upper bound on the minimal number of data required by a run 
between two configurations (if any run exists), then we can reduce continuous 
reachability in UDPN to continuous reachability in vanilla Petri nets with an 
exponential blowup and use the already developed characterization from [11]. 
In Sect. 5 we prove such a bound on the minimal number of required data. The 
bound is novel and exploits techniques that did not appear previously in the 
context of data nets. Further, the obtained bounds are lower than bounds on 
the number of data values required to solve the state equation [22], which is 
surprising considering that existence of a continuous run requires a solution of a 
sort of state equation. Precisely, the difference is that we are looking for solutions 
of the state equation over Q* instead of N and in this case we prove better bounds 
for the number of data required. This also gives us an easy polytime algorithm 
for finding Q*-solutions of state equations of UDPN (we remark that for Petri 
nets without data, this appears among standard algebraic techniques [24]). 

Finally, with the above bound, we solve continuous reachability in UDPN 
by adapting the techniques from the non-data setting of [12,25]. We adapt the 
characterization of continuous reachability to the data setting and next encode 
it as system of linear equations with implications. In doing so, however, we face 
the problem that a naive encoding (representing data explicitly) gives a system 
of equations of exponential size, giving only an ExpTime-algorithm. To improve 
the complexity, we use histograms, a combinatorial tool developed in [22], to 
compress the description of solutions of state equations in UDPNs. However, 
this may lead to spurious solutions for continuous reachability. To eliminate 
them, we show that it suffices to first transform the net and then apply the 
idea of histograms to characterize continuous runs in the modified net. The 
whole procedure is described in Sect. 7.3 and leads us to our PTime algorithm 
for continuous reachability in UDPN. Note that since we easily have PTime 
hardness for the problem (even without data), we obtain that the problem of 
continuous reachability in UDPN is PTime-complete. 


Towards Verification. Over-approximations are useful in verification of Petri 
nets and their extensions: as explained in [24], for many practical problems, 
over-approximate solutions are already correct. Further, we can use them as a 
sub-routine to improve the practical performance of verification algorithms. A 
remarkable example is the recent work in [25], where the PTime continuous 
reachability algorithm for Petri nets from [11] is used as a subroutine to solve 
the ExpSpace hard coverability problem in Petri nets, outperforming the best 
known tools for this problem, such as Petrinizer [26]. Our results can be seen as a 
first step in the same spirit towards handling practical instances of coverability, 
but for the extended model of UDPN, where the coverability problem for UDPN 
is known to be Ackermannian-hard [20]. 
Omitted proofs and details can be found in the extended version at [27]. 
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2 Preliminaries 


We denote integers, non-negative integers, rationals, and reals as Z,N,Q, and 
R, respectively. For a set X C R denote by X*, the set of all non-negative 
elements of X. We denote by 0, a vector whose entries are all zero. We define 
in a standard point-wise way operations on vectors i.e. scalar multiplication -, 
addition +, subtraction —, and vector comparison <. In this paper, we use 
functions of the type X — (Y — Z), and instead of (f(2))(y), we write f(y, x). 
For functions f,g where the range of g is a subset of the domain of f, we denote 
their composition by f o g. If m is an injection then by 7~' we mean a partial 
function such that m~t ov is the identity function. Let f : X1 > Y, g: X2 > Y 
be two functions with addition and scalar multiplication operations defined on Y. 
A scalar multiplication of a function is defined as follows (a- f)(x) = a- f(x) for all 
x € X,. We lift addition operation to functions pointwise, i.e. f+g : X1U X2 > Y 
such that 


f(x) if x € Xi \ Xo 
) if x € X% \ X 
f(z) + g(a) ifreXiN Xo. 


Similarly for subtraction (f — g)(x) = f(x) + —1 - g(x), and f < g if for all 
x € Xı U X2, (g — f)(x) < 0. 

We use matrices with rows and columns indexed by sets S1, S2, possibly 
infinite. For a matrix M, let M(r,c) denote the entry at column c and row 
r, and M(r,e), M(e,c) denote the row vector indexed by r and column vec- 
tor indexed by c, respectively. Denote by col(M), row(M) the set of indices 
of nonzero columns and nonzero rows of the matrix M, respectively. Even if 
we have infinitely many rows or columns, our matrices will have only finitely 
many nonzero rows and columns, and only this nonzero part will be repre- 
sented. Following our nonstandard matrix definition we precisely define oper- 
ations on them, although they are natural. First, a multiplication by a con- 
stant number produces a new matrix with row and columns labelled with the 
same sets S1,S2 and defined as follows (a - M)(r,c) = a- (M(r,c)) for all 
(r,c) € Sı x Sg. Addition of two matrices is only defined if the sets index- 
ing rows Sı and columns Sz are the same for both summands Mı and Mo, 
V(r, c) € Sı x S2 the sum (Mı + M2)(r,c) = Mi(r,c) + M2(r,c), the subtraction 
Mı — Mz is a shorthand for Mı + (—1)- M2. Observe that all but finitely many 
entries in matrices are 0, and therefore when we do computation on matrices we 
can restrict to rows row( M1) U row( M2) and columns col( Mı) U col( M2). Sim- 
ilarly the comparison for two matrices Mı, Mə is defined as follows Mı < Mə 
if V(r,c) € (row( Mı) U row(M2)) x (col( M1) U col(M2)) Mi(r,c) < M2(r,c); 
relations >, >,< are defined analogically. The last operation which we need is 
matrix multiplication Mı - M2 = Ms, it is only allowed if the set of columns 
of the first matrix Mı is the same as the set of rows of the second matrix 
Mz, the sets of rows and columns of the resulting matrix M3 are rows of the 
matrix Mı and columns of Mp, respectively. M3(r,c) = X`, Mi(r, k)Ma(k, c) 
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where k runs through columns of Mı. Again, observe that if the row or a col- 
umn is equal to 0 for all entries then the effect of multiplication is 0, thus we 
may restrict to row(M 1) and col( M3). Moreover in the sum it suffices to write 


ke col(My) My (r, k)Ma(k, c). 


3  UDPN, Reachability and Its Variants: Our Main 
Results 


Unordered data Petri nets extend the classical model of Petri nets by allowing 
each token to hold a data value from a countably-infinite domain D. Our defini- 
tion is closest to the definition of v-Petri nets from [28]. For simplicity we choose 
this one instead of using the equivalent but complex one from [18]. 


Definition 1. Let D be a countably infinite set. An unordered data Petri net 
(UDPN) over domain D is a tuple (P,T, F, Var) where P is a finite set of places, 
T is a finite set of transitions, Var is a finite set of variables, and F : (P x T)U 
(T x P) > (Var — N) is a flow function that assigns each place p € P and 
transition t E€ T a function over variables in Var. 


For each transition t € T we define functions F(e,t) and F(t,e), Var > 
(P +N) as F (e, t)(p, x) = F(p, t)(x) and analogously F(t, e)(p, x) = F(t, p)(2). 
Displacement of the transition t is a function A(t) : Var — (P — Z) defined as 


A(t) © F(t,e) — F(e,t). 


For X € {N,Z, Q, QT}, we define an X-marking as a function M : D — (P > 
X) that is constant 0 on all except finitely many values of D. Intuitively, M (p, a) 
denotes the number of tokens with the data value a at place p. The fact that 
it is 0 at all but finitely many data means that the number of tokens in any 
X-marking is finite. We denote the infinite set of all X-markings by Mx. 

We define an X-step as a triple (c,t,7) for a transition t € T, mode n being 
an injective map 7: Var — D, and a scalar constant c € Xt. An X-step (c, t, 7) 
is fireable at a X-marking i if i—c- F(e,t)om~! € Mx. 

The X-marking f reached after firing an X-step (c,t,7) at i is given as 
f =i+c-A(t)o7!. We also say that an X-step (c,t,7) when fired consumes 
tokens c- F'(e,t)om~! and produces tokens c- F(t, e)o7a~+. We define an X-run as 
a sequence of X-steps and we can represent it as {(c;, ti, Ti) }\p| where (ci, ti, Ti) 
is the i” X-step and |p| is the number of X-steps. A run p = {(ci, ti, 7) } Io} 
is fireable at a X-marking t if, V1 < i < |p|, the step (ci, ti, mi) is fireable at 
a+ Da ciA(tj) o ng: By i yx f we denote that p is fireable at i and after 
firing p at i we reach X-marking f = i + yal ci © A(t;) o 7; +. We call (the 
function computed by) the mentioned sum 5! 1c&A(ti) o n7” as the effect of 
the run and denote it by A(p). 

We fix some notations for the rest of the paper. We use Greek letters a, 3,7 
to denote data values from data domain D, p, o to denote a run, m to denote 
a mode and x,y,z to denote the variables. When clear from the context, we 
may omit X from X-marking, X-run and just write marking, run, etc. Further, 
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we will use letters in bold, e.g., m to denote markings, where 2, f will be used 
for initial and final markings respectively. Further, throughout the paper, unless 
stated explicitly otherwise, we will refer toa UDPN N = (P,T, F, Var), therefore 
P,T, F, Var will denote the places, transitions, flow, and variables of this UDPN. 


Example 1. An example of a simple UDPN M, is pi P2 
given in Fig.1. For this example, we have P = 

{p1, p2, p3, pa}, T = {t}, Var = {x,y,z}, and the flow Os 2 
relation is given by F(p1,t) = {y => 1}, F(p2,t) = 

{x => 1}, F(t,ps) = {y > 2}, F(t,pa) = {£ > 1,z œ> 

1}, and an assignment of 0 to every variable for the 2y 

remaining of the pairs. Thus, for enabling transition P3 X,Z pa 
pı and p2 must have one token each with a different 

data value (since x Æ y) and after firing two tokens D Co) 


are produced in p3 with same data value as was con- 
sumed from pı and two tokens are produced in p4, one Fig. 1. A simple UDPN M, 
of whom has same data as consumed from pg. 


Definition 2. Given X-markings i, f, we say f is X-reachable from i if there 
exists an X-run p s.t., i Sy f. 


When X = N, X-reachability is the classical reachability problem, whose 
decidability is still unknown, while Z-reachability for UDPN is in NP [22]. 

In this paper we tackle Q and Q*-reachability, also called continuous reach- 
ability in UDPN. 

The first step towards the solution is showing that if a Qt-marking f is 
Qt-reachable from a Qt-marking i, then there exists a Q*t-run p which uses 
polynomially many data values and 2 a+ f. We first formalize the set of 
distinct data values associated with X-markings, data values used in X-runs and 
variables associated with a transition. 


Definition 3. For N = (P,T,F, Var) a UDPN, X-marking m, t € T, and 
X-run p = {(ci, ti, Ts) } ip}, we define 


1. vars(t) = {x € Var| Ape P : F(p,t)(x) £0V F(t, p)(x) #0}. 
2. dval(m) ={a—ED| Ape P: m(p,a) £ O}. 
3. dval(p)= {a E D| i < |p| Ix € vars(t;) : (m;(x) = a)}. 


With this we state the first main result of this paper, which provides a bound 
on witnesses of Q, Q*-reachability, and is proved in Sect. 5. 


Theorem 1. For X € {Q,Q‘*}, if an X-marking f is X-reachable from an initial 
X-marking i, then there is an X-run p such that i &x f and |dval(p)| < |dval(i)U 
dval(f)| + 1+ maxzer(|vars(t)|). 


Using the above bound, we obtain a polynomial time algorithm for Q- 
reachability, as detailed in Sect. 6. 
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Theorem 2. Given N = (P,T,F, Var) a UDPN and two Q-markings i, f, 
deciding if f is Q-reachable from i in N is in polynomial time. 


Finally, we consider continuous, i.e., Qt-reachability for UDPN. We adapt 
the techniques used for Qt-reachability of Petri nets without data from [11,12] 
to the setting with data, and obtain a characterization of Qt-reachability for 
UDPN in Sect. 7.1. Finally, in Sect. 7.3, we show how the characterization can 
be combined with the above bound and compression techniques from [22] to 
obtain a polynomial sized system of linear equations with implications over QT. 
To do so, we require a slight transformation of the net which is described in 
Sect. 7.2. This leads to our headline result, stated below. 


Theorem 3 (Continuous reachability for UDPN). Given a UDPN N = 
(P,T, F, Var) and two Qt-markings i, f, deciding if f is Q*-reachable from i in 
N is in polynomial time. 


The rest of this paper is dedicated to proving these theorems. First, we present 
an equivalent formulation via matrices, which simplifies the technical arguments. 


4 Equivalent Formulation via Matrices 


From now on, we restrict X to a symbol denoting Q or Qt. We formulate the 
definitions presented earlier in terms of matrices, since defining object such as 
X-marking as functions is intuitive to define but difficult to operate upon. 

In the following, we abuse the notation and use the same names for objects as 
well as matrices representing them. We remark that this is safe as all arithmetic 
operations on objects correspond to matching operations on matrices. 

An X-marking m is a P x D matrix M, where Vp € P,Va € D, M(p,a) = 
m(p, a). As a finite representation, we keep only a P x dval(m) matrix of non- 
zero columns. For a transition t € T, we represent F(t,e), F(e,t) as P x Var 
matrices. Note that (t,e) is not the position in the matrix, but is part of the 
name of the matrix; its entry at (i,j) € P x Var is given by F(t,e)(i, j). For 
a place p E€ row(F(t,e)), the row F(t,e)(p,e) is a vector in NV", given by 
an equation F(e,t)(p,e)(x) = F(p,t)(a) for p € P,t € T,x € Var. Similarly, 
A(t) isa P x Var matrix with A(t)(p, x) = F(t,e)(p,x) — F(e,t)(p,x) for t € 
T,p € P, and x € Var. Although, both A(t) and F(e,t) are defined as P x Var 
matrices, only the columns for variables in vars(t) may be non-zero, so often we 
will iterate only over vars(t) instead of Var. 

Finally, we capture a mode m : Var — D asa Var x D permutation matrix 
P. Although P may not be a square matrix, we abuse notation and call them 
permutation matrices. P basically represents assignment of variables in Var to 
data values just like m does. An entry of 1 represents that the corresponding 
variable is assigned corresponding data value in mode 7. Thus, for each mode 
a: Var — D there is a permutation matrix Pr, such that for all x € Var, a € D, 
P (x,a) = 1 if r(x) = a, and P(x, a) = 0 otherwise. Formulating a mode as a 
permutation matrix has the advantage that A(t)o7~+ is captured by A(t) - Pr. 
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Example 2. In the UDPN M; from Example 1, if D = {red, blue, green, black} 
then the initial marking 2 can be represented by the matrix i below and the 
function A(t) by the matrix A(t) 


red blue green black z yz 

1 0 1 0 Pı 0 —10 Pı 
gol 0 1 0 0 |p A(t) —1 0 0) pe 

2 0 0 0 | ps 0 2 0] p3 

1 1 0 0 / m 1 0 1/ p4 


If we fire transition t with the assignment x = blue, y = green,z = black, we 
get the following net depicted below (left), with marking f (below center). The 
permutation matrix corresponding to the mode of fired transition is given by P 
matrix on the right. Note that the matrix f — 7 is indeed the matrix A(t) - P. 


pı p2 
red blue green black red blue green black 
y x 1 0 0 0 pı 
0 0 0 0 z/O0 1 0 0 
f= BP=9 0 o 1 0 
2 2 0 2 0 jæ o o o ı 
Y 1 2 0 tL 7p 
P3 X,Z 


Using the representations developed so far we can represent an X-run p as 
{(ci, ti, Pi) }\o, where (ci, ti, Pi) denotes the it X-step fired with coefficient ci 
using transition t; with a mode corresponding to permutation matrix P;. The 
sum of the matrices DDAN ci A(t) - Pi) gives us the effect of the run i.e. A(p) = 
f — i where i 4x f. Effect of an X-run p on a data value a is A(p)(©, a). Also, 
for an X-run p = {(cj, ti, Pi) jp), define kp = {(kci, ti, Pi) }|p| where k € XT. 


5 Bounding Number of Data Values Used in Q, Qt-run 


We now prove the first main result of the paper, namely, Theorem 1, which shows 
a linear upper bound on the number of data values required in a Qt-run and a 
Q-run. Theorem 1 is an immediate consequence of the following lemma, which 
states that if more than a linearly bounded number of data values are used in a 
Q or QF run, then there is another such run in which we use at least one less 
data value. 


Lemma 1. Let X € {Q,Q‘}. If there exists an X-run o such that i Sx f and 
|dval(o)| > |dval(é) U dval(f)|+1+maxter(|vars(t)|), then there exists an X-run 
p such that i &x f and |dval(p)| < |dval(o)| — 1. 

By repeatedly applying this lemma, Theorem 1 follows immediately. The rest of 


this section is devoted to proving this lemma. The central idea is to take any Q 
or Qt-run between i, f and transform it to use at least one less data value. 
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5.1 Transformation of an X-run 


The transformation which we call decrease is defined as a combination of two 
separate operations on an X-run; we name them uniformize and replace and 
denote them by U and R respectively. 


— uniformize takes an X-step and a non-empty set of data values E as input 
and produces an X-run, such that in the resultant run, the effect of the run 
for each data value in E is equal. 

— replace takes an X-step, a single data value a, and a non-empty set of data 
values E as input and outputs an X-step which doesn’t use data value a. 


The intuition behind the decrease operation is that we would like to take two 
data values a and 8 used in the run such that effect on both of them is 0 
(they exists as the effect on every data value not present in the initial of final 
configuration is 0) and replace usage of a by 3. However, such a replacement can 
only be done if both data are not used together in a single step (indeed, a mode 
m cannot assign the same data values to two variables). Unfortunately we cannot 
guarantee the existence of such a @ that may replace a globally. We circumvent 
this by applying the replace operation separately for every step, replacing a with 
different data values in different steps. 

But such a transformation would not preserve the effect of the run. To repair 
this aspect we uniformize i.e. guarantee that the final effect after replacing a by 
other data values is equal for every datum that is used to replace a. As the effect 
on a was 0 then if we split it uniformly it adds 0 to effects of data replacing a, 
which is exactly what we want. We now formalize this intuition below. 


The Uniformize Operator. By © we denote an operator of concatenation of 
two sequences. Although the data set D is unordered, the following definitions 
require access to an arbitrary but fixed linear order on its elements. The definition 
of the uniformize operator needs another operator to act on an X-step, which 
we call rotate and denote by rot. 


Definition 4. For a non-empty finite set of data values E C D and an X-step, 
w =(c,t,P), define rot(E,w) = (c,t, P’) where P’ is obtained from P as follows. 


~ Va € col(P )\E, P’(e,a) = P(e, a). 
- Va € P(e, a) = P(e, neztg(a)), where nextg(a) = min({86 EE | 8 > a}) 
if {8 € z | 8 > a}| > 0 and min(E) otherwise. 


For a fixed set E, we can repeatedly apply rot(E,e) operation on an X-step, 
which we denote by rot*(E,w), where k is the number of times we applied the 
operation (for example: rot?(E,w) = rot(E, (rot(E,w))). 
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Definition 5. For a finite and non-empty set of data values E C D and an 
X-step w = (c,t,P), we define uniformize as follows 


U(E,w) = rot? (E, ED © rot! (E, E) © rot? (E, ED © ... © rot! 


An important property of uniformize is its effect on data values. 


T(E, iE: 


Lemma 2. For a finite and non-empty set of data values E C D and an X-step 
w= (ct, P), iar f fi “S pr, then 
1. Va € dval(w)\E, f'(¢,a)— i (e, a) = f(e, a) — ie, a) 


ea 
2. Va cE, ,fi(e,a) — (0, a) = Heese A) 


This lemma tells us the effect of the run on the initial marking is equalized 
for data values in E by the YU operation, and is unchanged for the other data 
values. 


The Replace Operator. To define the replace operator it is useful to introduce 
swapa, g(P) which exchanges columns a and £ in the matrix P. 


Definition 6. For a finite set of data values E, an X-step w = (c,t,P), and 
a Z E we define replace as follows 


(c,t, P) if (F(t, e) -P)(e, a) ay (F(e,t) -P)(*, a) =0 
(c,t, swapa g(P)) else, if B is the smallest datum in E s.t., 
(F(t,e) -P)(, 8) = (Fle,t) -P)(e, 8) = 0 


unde fined otherwise. 


R(a, E,w) = 


After applying the replace operation a is no longer used in the run, which reduces 
the number of data values used in the run. Observe that replace can not be always 
applied to an X-step. It requires a zero column labelled with an element from 
in the permutation matrix corresponding to the X-step. 


The Decrease Transformation. Finally, we define the transformation on an 
X-run between two markings which we call decrease and denote by dec. 


Definition 7. For two X-markings i, f, and an X-run o such that i >x f and 
|dval(c)| > |dval(i) U dval(f)| + 1 + maxier(|vars(t)|), let {a} UE = dval(o) \ 
(dval(z) U dual(f)) and a g E. We define decrease by, dec(E,a,o) = 


U(E, R(a, E,o(1))) © U(E, Ra, E, o(2))) © ... © U(E, R(a, E, o(|c]))). 
where o(j) denotes the j*” X-step of o. 


Observe that the required size of dval(c) guarantees existence of a 3 € 
which can be replaced with a, for every application of the R operation. Note 
that the exchanged data value 2 could be different for each step. Finally, we 
can analyze the decrease transformation and show that if the original run allows 
for the decrease transformation (as given in the above definition), then after 
the application of it, the resulting sequence of transitions is a valid run of the 
system. 
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Lemma 3. Let o be an X-run such that i Sy f and |dval(c)| > |dval(i) U 
dval(f)| + 1 + maxzer(|dval(t)|). Let a € dval(c) \ (dval(t) U dval(f)) and E = 
dval(c) \ (dval(4) U dval(f) U{a}). Then for p = dec(E,a,o), we obtain i &x f. 


Proof. Suppose o = o102...0, where each oj = (c;,t;,P;), for 1 <j <l 
is an X-step. Then p = pi©...@©pi, where each p; is an X-run defined by 
pi =U(E, R(a,E,o;)). It will be useful to identify intermediate X-markings 


i = mo xmi x M2 Xe xm =f (1) 
_ „7 / U(E,R(a,E,o1)) ı U(E,R(a,E,o2)) 1 U(E,R(a,E,c;)) 1 
m, om QM... om 


We split the proof: first we show that f = f’ and then p is X-fireable from i. 


Step 1: Showing that the final markings reached are the same. We 
prove a stronger statement which implies that f = f’, namely: 


Claim 1. For all0 <j <1, 


1. mi(e,a) = 0 
2. Vy € dval(i) U dval(f), m;(*, 7) = mj(«,7) 


3. Wy € E mi (0,9) = by (Zseruta) myle, 8)) 


The proof is obtained by induction on j. Intuitively, point 1 holds as we 
shift effects on œa to 8, point 2 holds as the transformation does not touch 
y E€ dval(i) U dval(f). The last and most complicated point follows from the 


fact that the number of tokens consumed and produced along each segment 
U(E,R(a,E,o;)) 
ee 


is the same as for oj, but uniformized over E 

Step 2: Showing that p is an X-run. If X = Q then the run p is fireable, as 
any Q-run is fireable, so in this case this step is trivial. The case when X = Qt 
is more involved. As we know from Claim 1, each m; is a Qt-marking, so it 


U(E,R(a, : 
suffices to prove that for every j, m’ 5 aa. m'. j+1- Consider a data 


vector of tokens consumed along the Qt-run U(E, R(a, E, a;)). If we show that 
it is smaller than or equal to m’; (component-wise), them we can conclude that 
U(E, R(a,E,o;)) is indeed Qt-fireable from mi. To show this, we examine the 
consumed tokens for each datum y separately. There are three cases: 


(i) y = a. For this case, every step in U(E,R(a,E,o;)) does not make any 
change on a so tokens with data value a are not consumed along the Qt- 
run U(E, R(a, E,o;)). 

(ii) y € dval(i) U dval(f). This is similar to the above case. Consider any data 
value y € (dval(c)\E) \ {a}. Since y does not change on rotate operation, 
the U operation causes each Q-step in U(E, R(a,E,o;)) to consume IEI of 
the tokens with data value y consumed when g; is fired. This is repeated 

|E| times and hence the vector of tokens with data value y consumed along 

U(E, R(a,E,o;)) is equal to the vector of tokens with value y consumed 
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by step øj. But we know that, it is smaller than m,;(e,y) and concluding 
smaller than mj(e,7). The last inequality is true as mj;(e,y) = mj(e,7) 
according to Claim 1. 

(iii) y € E. Let w be a triple (cj, F(e,t;),P;) where (cj, tj, Pi) = oj. w simply 
describes tokens consumed by øj. We slightly overload the notation and 
treat a triple w like a step, where F'(e,t;) represents a transition “_” for 
which F(e,_) = F(e,t;) and F(-_,e) is a zero matrix. We calculate the 
vector of consumed tokens with data value y as follows: consumed(e, ~) = 


|E|—1 |El 


A(rot*(E, R(a, E, w))) (e, 7) = =>) A(rot*(EU {a}, w))(e, 7) 


| Eer | ome, 


the first equality is from definition and the second by the replace operation, 


= oS (rot*( Ufa}, (1, F(e,t;),P;))) (0,7) = a > (Fle, ta)-Py)(@, 5) 


| k=0 |E 5€EU{a} 


Further, observe that as g; can fired in mj 


c;(F(e,t;)-P;)(¢,6) < m,;(e,6) for all ô € D, 


summing up over 6 € EU {a} and multiplying with E we get 


Bo D Flat) Pe?) < 


|E| 5€EU{a} 


XO mj(,5) = mi (8,7), 


d6€EU{a} 


where the last equality comes from Claim 1 point 3. Combining inequalities 
we get consumed(e,y) < mi(e,7). 


Proof (of Lemma 1). Now the proof of Lemma 1 (and hence Theorem 1) fol- 
low immediately, since we can use the decrease transformation, to decrease the 
number of data values required in an X-run. We simply take a € dval(c) \ 
(dval(i) U dval(f)) and E = dval(o) \ (dval(i) U dval(f)) \ {a}. Next, let 
p = dec(E, a, o). Due to Lemma 3 we know that i * x f. Moreover, observe that 
dval(p) C dval(c). But in addition, a ¢ dval(p) as due to the one of properties of 
the decrease operation a does not participate in the run p. So dval(p) C dval(c). 
Therefore |dval(p)| < |dval(c)| — 1. 


Ww 


6 Q-reachability is in PTime 


We recall the definition of histograms from [22]. 


Definition 8. A histogram M of order q E€ Q is a Var x D matrix having non- 
negative rational entries such that, 
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1. J accoi(M) M (a, a) =q for all x € row(M). 
2. J zerou) M(a, a) < q for alla € col(M). 


A permutation matrix is a histogram of order 1. 
In the following lemma, we state two properties of histograms. We say that a 
histogram of order a is an /a/-histogram if the histogram has only {0, a} entries. 


Lemma 4. Let H, Hı, H2,.., Hn be histograms of order q,q1,q2,...,qn respec- 
tively and of same row dimensions then (i) >>;_, Hi is a histogram of order 
D; qi, (i) H can be decomposed as a sum of [a;]-histograms such that X`; a; = q. 


Using histograms we define a representation Hist(p) for an X-run p, which 
captures A(p). From an X-run p = {(c;, tj, P) }jp} we obtain Hist(p) as follows. 
For all transitions t € T, define the set I = {j € [1..|p|]| t; = t}. Then calcu- 
late the matrix H; = J;e 1, ĉiPi. Observe that since permutation matrices are 
histograms and histograms are closed under scalar multiplication and addition, 
H; is a histogram. If J; is empty, then H; is simply the null matrix. We define 
Hist(p) as a mapping from T to histograms such that t is mapped to H;. 

Analogous to an X-run we can represent Hist(p) simply as {(t;, H:,)}, unlike 
an X-run we don’t indicate the length of the sequence since it is dependent on 
the net and not the individual run itself. 


Proposition 1. Let N = (P,T, F, Var) be a UDPN, i, f X-markings, and o an 
X-run such that iy f. Then for each t € T there exists H, such that: 


1. f- i= yer Al): H, 
2. col(H;) C dval(o) for every t ET. 


A PTime Procedure. We start by observing that from any Q-marking 12, 
every Q-step (c,t,P) is fireable and every Q run is fireable. This follows from 
the fact that rationals are closed under addition, thus i + c- F(e,t)- P isa 
marking in Mg. Thus if we have to find a Q-run p = {(c}, tj, Pj) }p} between 
two Q-markings, i,f it is sufficient to ensure that f — i = EA cj A(t) Pi. 
Thus for a Q-run all that matters is the difference in markings caused by the 
Q-run which is captured succinctly by Hist(p) = {t;, He, }. This brings us to 
our characterization of Q-run. 


Lemma 5. Let N = (P,T,F, Var) be a UDPN, a marking f is Q-reachable 
from i iff there exists set E of size bounded by |E| < |dval(i) U dval(f)| + 1 + 
maxzer(|vars(t)|) and a histogram H; for eacht € T such that f~i = } per A(t): 
H; and Yt € T col(H;) C E. 


Using this characterization we can write a system of linear inequalities to 
encode the condition of Lemma 5. Thus, we obtain our second main result, 
namely, Theorem 2, with detailed proofs in [27]. 
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7 Qt-reachability is in PTime 


Finally, we turn to Qt-reachability for UDPNs and to the proof of Theorem 3. At 
a high level, the proof is in three steps. We start with a characterization of Qt- 
reachability in UDPNs. Then we present a polytime reduction of the continuous 
reachability problem to the same problem but for a special subclass of UDPN, 
called loop-less nets. Finally, we present how to encode the characterization for 
loop-less nets into a system of linear equations with implications to obtain a 
polytime algorithm for continuous reachability in UDPNs. 


7.1 Characterizing Qt-reachability 


We begin with a definition. For an X-run we introduce the notion of the 
pre and post sets of X—run. For an X-run, p = {(c;,ti,Pi)})o) we define 
Pre(p) = {(p,a)| 3 t3 x : F(p, ti)(x) < OA Pi(x,a) = 1}. We also define 
Post(p) = {(p,a)| 3 t3 x : F(t; p£) > OA Pi(x,a) = 1}. Intuitively, 
Pre(p), Post(p) denote the set of (p,a) (place, data value) pairs describing 
tokens that are consumed, produced respectively by the run p. 

Throughout this section, by a marking we denote a Q*t-marking. 


+ 


Lemma 6. Let N = (P,T,F, Var) be an UDPN and i,f are markings. For 
any Qt-run o such that i g+ f there exist markings i’ and f' (possibly on a 
different run) such that 


1. @ is Q*-reachable from i in at most |P| -|dval(c)| Qt-steps 


2. There is a run o’ such that dval(o’) C dval(c) and 7 Zii f' 
3. f is Qt-reachable from f' in at most |P\ - |dval(a)| Q*-steps 
4. V(p,a) € Pre(o'), i (p,a) > 0 

5. V(p,a) € Post(a’), f'(p,a) > 0 


Remark 1. If in conditions 1 and 3 we drop the requirement on the number of 
steps then the five conditions still imply continuous reachability. 


d 


Note that if there exist markings i’ and f’ and QĦ -runs p, p', p” such 


that 2 sot a, a gt ff’ Log f then there is a Qt-run o such that 
i s+ f. The above characterization and its proof are obtained by adapting to 


the data setting, the techniques developed for continuous reachability in Petri 
nets (without data) in [11] and [12]. 


7.2 Transforming UDPN to Loop-less UDPN 


For a UDPN N = (P,T,F, Var), we construct a UDPN N” which is poly- 
nomial in the size of M and the Q*-reachability problem is equivalent. We 
define PrePlace(t) = {p € P|3v € Var s.t. F(p,t)(v) > 0} and PostPlace(t) 
= {p € P|v € Var s.t. F(t,p)(v) > 0}, where t € T. The essential property 
of the transformed UDPN is that for every transition the sets of PrePlace and 
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PostPlace do not intersect. A UDPN N = (P,T, F, Var) is said to be loop-less 
if for all t € T, PrePlace(t) N PostPlace(t) = 0. 

Any UDPN can easily be transformed in polynomial time into a loop-less 
UDPN such that Qt-reachability is preserved, by doubling the number of places 
and adding intermediate transitions. Formally, For every net N and two mark- 
ings i, f in polynomial time one can construct a loop-less net M’ and two mark- 
ings i’, f’ such that i —>ọ+ f in the net M iff i’ ++ f’ in N’. Now, the 
following lemma which describes a property of loop-less nets will be crucial for 
our reachability algorithm: 


Lemma 7. In a loop-less net, for markings i, f, if there exist a histogram H, 
and a transition t € T such that i+ A(t) - H = f, then there exist a Qt-run p 
such that i o+ F. 


7.3 Encoding Qt-reachability as Linear Equations with Implications 


Linear equations with implications, as we use them, are defined in [23], but were 
introduced in [12]. A system of linear equations with implications, also denoted 
a => system, is a finite set of linear inequalities over the same variables, plus 
a finite set of implications of the form z > 0 = > y > 0, where x,y are variables 
appearing in the linear inequalities. 


Lemma 8 /12/. The Q* solvability problem for a => system is in PTime. 


We then reduce the Q*-reachability problem to checking the solvability of a sys- 
tem of linear equations with implications, using the characterization established 
in Lemma 6 in the following lemma. 


Lemma 9. Qt-reachability in a UDPN N = (P,T,F, Var) between markings 
i, f can be encoded as a set of linear equations with implications in P-time. 


Finally, we obtain Theorem 3 as a consequence of Lemmas 8 and 9. 


8 Conclusion 


In this paper, we provided a polynomial time algorithm for continuous reacha- 
bility in UDPN, matching the complexity for Petri nets without data. This is in 
contrast to problems such as discrete coverability, termination, where Petri nets 
with and without data differ enormously in complexity, and to (discrete) reach- 
ability, where decidability is still open. As future work, we aim to implement 
the continuous reachability algorithm developed here, to build the first tool for 
discrete coverability in UDPN on the lines of what has been done for Petri nets 
without data. The main obstacle will be performance evaluation due to lack of 
benchmarks for UDPNs. Another interesting avenue for future work would be 
to tackle continuous reachability for Petri nets with ordered data, which would 
allow us to analyze continuous variants of Timed Petri nets. 


Acknowledgments. We thank the anonymous reviewers for their careful reading and 
their helpful and insightful comments. 


Continuous Reachability for Unordered Data Petri Nets is in PTime 275 


References 


10. 


11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


Finkel, A., Schnoebelen, P.: Well-structured transition systems everywhere! Theor. 
Comput. Sci. 256(1-2), 63-92 (2001) 

Rackoff, C.: The covering and boundedness problems for vector addition systems. 
Theor. Comput. Sci. 6, 223-231 (1978) 

Rao Kosaraju, S.: Decidability of reachability in vector addition systems (prelimi- 
nary version). In: Proceedings of the 14th Annual ACM Symposium on Theory of 
Computing, San Francisco, California, USA, 5-7 May 1982, pp. 267-281 (1982) 
Leroux, J., Schmitz, S.: Demystifying reachability in vector addition systems. In: 
30th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2015, 
Kyoto, Japan, 6-10 July 2015, pp. 56-67 (2015) 

Cardoza, E., Lipton, R.J., Meyer, A.R.: Exponential space complete problems for 
Petri nets and commutative semigroups: preliminary report. In: Proceedings of the 
8th Annual ACM Symposium on Theory of Computing, Hershey, Pennsylvania, 
USA, 3-5 May 1976, pp. 50-54 (1976) 

Czerwinski, W., Lasota, S., Lazic, R., Leroux, J., Mazowiecki, F.: The reach- 
ability problem for Petri nets is not elementary (extended abstract). CoRR, 
abs/1809.07115 (2018) 

van der Aalst, W.M.P.: The application of Petri nets to workflow management. J. 
Circ. Syst. Comput. 8(1), 21-66 (1998) 

Esparza, J.: Decidability and complexity of Petri net problems — an introduction. 
In: Reisig, W., Rozenberg, G. (eds.) ACPN 1996. LNCS, vol. 1491, pp. 374-428. 
Springer, Heidelberg (1998). https: //doi.org/10.1007/3-540-65306-6_20 

Desel, J., Esparza, J.: Free Choice Petri Nets. Cambridge University Press, New 
York (1995) 

David, R., Alla, H.: Continuous Petri nets. In: Proceedings of the 8th European 
Workshop on Application and Theory of Petri Nets, Zaragoza, Spain, pp. 275-294 
(1987) 

Fraca, E., Haddad, S.: Complexity analysis of continuous Petri nets. Fundam. 
Inform. 137(1), 1-28 (2015) 

Blondin, M., Haase, C.: Logics for continuous reachability in Petri nets and vector 
addition systems with states. In: 32nd Annual ACM/IEEE Symposium on Logic 
in Computer Science, LICS 2017, Reykjavik, Iceland, 20-23 June 2017, pp. 1-12 
(2017) 

David, R., Alla, H.: Petri nets for modeling of dynamic systems: a survey. Auto- 
matica 30(2), 175-202 (1994) 

Alla, H., David, R.: Continuous and hybrid Petri nets. J. Circ. Syst. Comput. 8, 
159-188 (1998) 

Jensen, K.: Coloured Petri nets - preface by the section editor. STTT 2(2), 95-97 
(1998) 

Wang, J.: Timed Petri nets. Timed Petri Nets: Theory and Application. The 
Kluwer International Series on Discrete Event Dynamic Systems, vol. 9, pp. 63-123. 
Springer, Boston (1998). https: //doi.org/10.1007/978-1-4615-5537-7_4 

Abdulla, P.A., Nylén, A.: Timed Petri nets and BQOs. In: Colom, J.-M., Koutny, 
M. (eds.) ICATPN 2001. LNCS, vol. 2075, pp. 53-70. Springer, Heidelberg (2001). 
https: //doi.org/10.1007/3-540-45740-2_5 

Lazic, R., Newcomb, T.C., Ouaknine, J., Roscoe, A.W., Worrell, J.: Nets with 
tokens which carry data. Fundam. Inform. 88(3), 251-274 (2008) 


276 U. Gupta et al. 


19. Rosa-Velardo, F., de Frutos-Escrig, D.: Forward analysis for Petri nets with name 
creation. In: Lilius, J., Penczek, W. (eds.) PETRI NETS 2010. LNCS, vol. 6128, pp. 
185-205. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13675- 
7-12 

20. Lazić, R., Totzke, P.: What makes Petri nets harder to verify: stack or data? In: 
Gibson-Robinson, T., Hopcroft, P., Lazić, R. (eds.) Concurrency, Security, and 
Puzzles. LNCS, vol. 10160, pp. 144-161. Springer, Cham (2017). https://doi.org/ 
10.1007 /978-3-319-51046-0_8 

21. Hofman, P., Lasota, S., Lazić, R., Leroux, J., Schmitz, S., Totzke, P.: Coverability 
trees for Petri nets with unordered data. In: Jacobs, B., Löding, C. (eds.) FOSSACS 
2016. LNCS, vol. 9634, pp. 445-461. Springer, Heidelberg (2016). https://doi.org/ 
10.1007 /978-3-662-49630-5_26 

22. Hofman, P., Leroux, J., Totzke, P.: Linear combinations of unordered data vectors. 
In: 32nd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 
2017, Reykjavik, Iceland, 20-23 June 2017, pp. 1-11 (2017) 

23. Hofman, P., Lasota, S.: Linear equations with ordered data. In: 29th Interna- 
tional Conference on Concurrency Theory, CONCUR 2018, Beijing, China, 4-7 
September 2018, pp. 24:1-24:17 (2018) 

24. Silva, M., Terue, E., Colom, J.M.: Linear algebraic and linear programming tech- 
niques for the analysis of place/transition net systems. In: Reisig, W., Rozenberg, 
G. (eds.) ACPN 1996. LNCS, vol. 1491, pp. 309-373. Springer, Heidelberg (1998). 
https: //doi.org/10.1007 /3-540-65306-6_19 

25. Blondin, M., Finkel, A., Haase, C., Haddad, S.: Approaching the coverability prob- 
lem continuously. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 
9636, pp. 480-496. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3- 
662-49674-9_28 

26. Esparza, J., Ledesma-Garza, R., Majumdar, R., Meyer, P., Niksic, F.: An SMT- 
based approach to coverability analysis. In: Biere, A., Bloem, R. (eds.) CAV 2014. 
LNCS, vol. 8559, pp. 603-619. Springer, Cham (2014). https://doi.org/10.1007/ 
978-3-319-08867-9_40 

27. Gupta, U., Shah, P., Akshay, S., Hofman, P.: Continuous reachability for 
unordered data Petri nets is in PTime. CoRR abs/1902.05604 (2019). 
arxiv.org/abs/1902.05604 

28. Rosa-Velardo, F., de Frutos-Escrig, D.: Decidability and complexity of Petri nets 
with unordered data. Theor. Comput. Sci. 412(34), 4439-4451 (2011) 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), 
which permits use, sharing, adaptation, distribution and reproduction in any medium 
or format, as long as you give appropriate credit to the original author(s) and the 
source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the chapter’s 
Creative Commons license, unless indicated otherwise in a credit line to the material. If 
material is not included in the chapter’s Creative Commons license and your intended 
use is not permitted by statutory regulation or exceeds the permitted use, you will 
need to obtain permission directly from the copyright holder. 


S 


Check for 
updates 


Optimal Satisfiability Checking 
for Arithmetic p-Calculi 


Daniel Hausmann®) and Lutz Schröder 


Friedrich-Alexander-Universitat Erlangen-Nitirnberg, Erlangen, Germany 
{daniel .hausmann,lutz.schroeder}@fau.de 


Abstract. The coalgebraic p-calculus provides a generic semantic 
framework for fixpoint logics with branching types beyond the standard 
relational setup, e.g. probabilistic, weighted, or game-based. Previous 
work on the coalgebraic p-calculus includes an exponential time upper 
bound on satisfiability checking, which however requires a well-behaved 
set of tableau rules for the next-step modalities. Such rules are not avail- 
able in all cases of interest, in particular ones involving either integer 
weights as in the graded p-calculus, or real-valued weights in combina- 
tion with non-linear arithmetic. In the present work, we prove the same 
upper complexity bound under more general assumptions, specifically 
regarding the complexity of the (much simpler) satisfiability problem 
for the underlying one-step logic, roughly described as the nesting-free 
next-step fragment of the logic. The bound is realized by a generic global 
caching algorithm that supports on-the-fly satisfiability checking. Exam- 
ple applications include new exponential-time upper bounds for satis- 
fiability checking in an extension of the graded p-calculus with poly- 
nomial inequalities (including positive Presburger arithmetic), as well as 
an extension of the (two-valued) probabilistic -calculus with polynomial 
inequalities. 


1 Introduction 


Modal fixpoint logics are a well-established tool in the temporal specification, 
verification, and analysis of concurrent systems. One of the most expressive log- 
ics of this type is the modal p-calculus [2,3,20], which features explicit least and 
greatest fixpoint operators; roughly speaking, these serve to specify liveness prop- 
erties (least fixpoints) and safety properties (greatest fixpoints), respectively. 
Like most modal logics, the modal p-calculus is traditionally interpreted over 
relational models such as Kripke frames or labelled transition systems. The grow- 
ing interest in more expressive models where transitions are governed, e.g., by 
probabilities, weights, or games has sparked a commensurate growth of tempo- 
ral logics and fixpoint logics interpreted over such systems; prominent examples 
include probabilistic -calculi [5, 17,24], the alternating-time j-calculus [1], and 
the monotone p-calculus, which contains Parikh’s game logic [28]. The graded 
p-calculus [21] features next-step modalities that count successors; it is stan- 
dardly interpreted over Kripke frames but, as pointed out by D’Agostino and 
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Visser [6], graded modalities are more naturally interpreted over so-called multi- 
graphs, where edges carry integer weights, and in fact this modification leads to 
better bounds on minimum model size for satisfiable formulas. 

Coalgebraic logic [29,34] has emerged as a unifying framework for modal 
logics interpreted over such more general models. It is based on casting the 
transition type of the systems at hand as a set functor, and the systems in 
question as coalgebras for this type functor, following the paradigm of univer- 
sal coalgebra [31]; additionally, modalities are interpreted as so-called predicate 
liftings. The coalgebraic u-calculus [4] caters for fixpoint logics within this frame- 
work, and essentially covers all mentioned (two-valued) examples as instances. 
It has been shown that satisfiability checking in a coalgebraic u-calculus is in 
EXPTIME, provided that one exhibits a set of tableau rules for the modalities, 
so-called one-step rules, that is tractable in a suitable sense (an assumption made 
also in our own previous work on the flat [14] and alternation-free [16] fragments 
of the coalgebraic p-calculus). Such rules are known for many important cases, 
notably including alternating-time logics, the probabilistic -calculus even when 
extended with linear inequalities, and game logic [4,22,36]. There are, however, 
important cases where such rule sets are currently missing, and where there is 
in fact little perspective for finding suitable rules. One prominent case of this 
kind is graded modal logic; further cases arise when logics over systems with 
non-negative real weights, such as probabilistic systems, are taken beyond linear 
arithmetic to include polynomial inequalities. 

The object of the current paper is to fill this gap by proving a generic 
EXPTIME upper bound for coalgebraic p-calculi in the absence of tractable sets 
of modal tableau rules. The method we use instead is to analyse the so-called 
one-step satisfiability problem of the logic on a semantic level — this problem is 
essentially the satisfiability problem of a very small fragment of the logic, the one- 
step logic, which excludes not only fixpoints, but also nested next-step modali- 
ties, with a correspondingly simplified semantics that no longer involves actual 
transitions. E.g. the one-step logic of the relational p-calculus is interpreted over 
models essentially consisting of a set with a distinguished subset, abstracting 
the successors of a single state that is not itself part of the model. We have 
applied this principle to satisfiability checking in coalgebraic (next-step) modal 
logics [35], coalgebraic hybrid logics [26], and reasoning with global assumptions 
in coalgebraic modal logics [23]. It also appears implicitly in work on automata 
for the coalgebraic y-calculus [8], which however establishes only a doubly expo- 
nential upper bound in the case without tractable modal tableau rules. 

Our main example applications are on the one hand the graded modal p- 
calculus and its extension with (monotone) polynomial inequalities, including 
Presburger modalities, i.e. (monotone) linear inequalities, and on the other hand 
the extension of the (two-valued) probabilistic -calculus [4,24] with (monotone) 
polynomial inequalities. While the graded ji-calculus as such is known to be in 
EXPTIME [21], the other mentioned instances of our result are, to our best 
knowledge, new. At the same time, our proofs are fairly simple, even compared 
to specific ones, e.g. for the graded p-calculus. 
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Technically, we base our results on an automata-theoretic treatment by means 
of standard parity automata with singly exponential branching degree (in par- 
ticular on modal steps), thus precisely enabling the singly exponential upper 
bound, in contrast to previous work in [8] where the introduced A-automata 
lead to doubly exponential branching on modal steps in the resulting satisfia- 
bility games. Our algorithm witnessing the singly exponential time bound is, in 
fact, a global caching algorithm [11,12], and is able to decide the satisfiability 
of nodes on-the-fly, that is, possibly before the tableau is fully expanded, thus 
offering a perspective for practically feasible reasoning. A side result of our app- 
roach is a criterion for a polynomial bound on branching in models, which holds 
in all our examples. 


Organization. In Sect.2, we recall the basics of the coalgebraic p-calculus. 
We outline our automata-theoretic approach in Sect. 3, and present the global 
caching algorithm and its runtime analysis in Sect. 4. Soundness and complete- 
ness of the algorithm are proved in Sect. 5. 


2 The Coalgebraic -Calculus 


We recall basic definitions in coalgebraic logic [29,34] and the coalgebraic p- 
calculus [4]. 


Syntax. We fix a modal similarity type A, that is, a set of modal operators with 
assigned finite arities, possibly including propositional atoms as nullary modal- 
ities. For readability, we restrict the technical development to unary modalities, 
noting that all proofs generalize to higher arities by just writing more indices; in 
fact, we will liberally use higher arities in examples. We assume that A is closed 
under duals, i.e., that for each modal operator 9 € A, there is a dual 9 € A 
such that Y = Q for all Ọ € A. Let V be an infinite set of fixpoint variables. 
Formulas of the coalgebraic -calculus (over A) are given by the grammar 


V,d:=L|T]|YVAdb|¥vVed| Ob|X | uX. y|vX.y QEA,XEV. 


As usual, u and v take least and greatest fixpoints, respectively. Negation is 
not included but can be defined as usual. Throughout, we use 7 E€ {u,v} as 
a placeholder for fixpoint operators; we briefly refer to formulas of the form 
7X. as fixpoints. Fixpoint operators bind their fixpoint variables, so that we 
have standard notions of bound and free fixpoint variables; a formula is closed 
if it contains no free fixpoint variables. We assume w.l.o.g. that all formulas are 
clean, i.e. each fixpoint variable appears in at most one fixpoint operator, and 
irredundant, i.e. each bound variable is used at least once. Moreover, we restrict 
to guarded formulas, in which all occurrences of fixpoint variables are separated 
by at least one modal operator from their binding fixpoint operator (this is 
standard although possibly not w.l.o.g. [9]). For 9 € A, we denote by size(Y) 
the length of a suitable representation of Q; for natural or rational numbers 
indexing Q, we assume binary representation. The length || of a formula is its 
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length over the alphabet {L, T, A,V}U AU V U {nX. | X € V}, while the size 
size(w) of w is defined by counting size(Y) for each Y € A (and 1 for all other 
operators). The alternation depth ad(7X.wW) of a fixpoint 7X.w is the maximal 
depth of nesting of such alternating least and greatest fixpoints in Y% that depend 
on X, tweaked to be even for least fixpoint formulas and odd for greatest fixpoint 
formulas (that is, starting with ad(uX.w) = 2 and ad(vX.w) = 1 for closed 
w). For a more detailed definition of various flavours of alternation depth, see 
e.g. [27]. 


Semantics. As indicated above, the branching type of the underlying systems 
is a parameter of the framework, given by fixing a Set-endofunctor T. Ele- 
ments of TU should be thought of as structured collections over U that serve 
as collections of successors of states — e.g. in the most basic example, classi- 
cal relational systems, T is powerset P. Formulas are then interpreted over 
T-coalgebras (C,€) consisting of a set C of states and a transition function 
E: C — TC that assigns a structured collection E(x) € TC of successors (and 
observations) to z € C; e.g. P-coalgebras are just Kripke frames, as they assign 
a set of successors to each state. We interpret each modal operator Y € A as 
a T-predicate lifting [V], that is, a natural transformation [J] : Q > Q o T°? 
where Q : Set’? — Set denotes the contravariant powerset functor. Predicate 
liftings thus are families of functions [V]y : Q(U) — Q(TU) satisfying natu- 
rality, ie. [J]u(f-*{A]) = (TF)~4 [JV] v(A)] for f: U —> V and A C V, where 
f=! denotes preimage. E.g. the standard relational box modality is interpreted 
by [O]u(A) = {B € P(U) | B C A}. For sets U C V, we write U = V\U 
for the complement of U in V when V is understood from the context. We 


require that duality of modal operators is respected, i.e. [V]u(A) = [U]uA for 
A CU. To ensure existence of fixpoints, we require that all [V] are monotone, 
ie. AC BCU implies [V]u(A) € [Y]u(B). 

A valuation is a partial function i : V + P(C) that assigns sets i( X) of states 
to fixpoint variables X. The extension [¢]; C C of a formula ¢ in a T-coalgebra 
(C,€) is defined by the expected clauses for propositional operators and 


Dod} = € Oed) [wX. Yli = LFP((u]**) 
[K]: = (x) IX. vl: = GFP([4]*), 


where LFP and GFP compute the least and greatest fixpoints of their argu- 
ment functions, respectively, where [y]č (A) = [*]ijx) for A C C, and where 
(iX + A])(X) = A and (i[X + A) (Y) = i(Y) for Y # X. In particular, 
the extension is invariant under unfolding of fixpoints, i.e. [7X. yh: = [Y| X > 
nX.y|]i. For closed formulas w, the valuation i is irrelevant, so we write [y] 
instead of [7];. A state x € C satisfies a closed formula w (denoted x = w) if 
x € [y]. Given a set Z, we define the set A(Z) = {Vz | 9 € A,z € Z} of modal 
literals (over Z). A closed formula y is satisfiable if there is a coalgebra (C, £) 
and a state x E€ C such that x E x. 


Example 1. We now detail several instances of the coalgebraic u-calculus; for 
further examples, e.g. the alternating-time p-calculus, see [4]. 
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1. To obtain the standard modal pi-calculus [19] (which contains CTL as a frag- 
ment), we take A = {0,0} U P where P is a set of propositional atoms, seen 
as nullary modalities. The semantics is captured by TU = P(U) x P(P), so 
that T-coalgebras are Kripke models, as they assign to each state a set of 
successors and a set of atoms satisfied in the state. The relevant predicate 
liftings are 


[O]u(A) = {(8,Q) € TU| ANBAO} [Olu(A) = {(6,Q) €TU| BC A} 


and [plu = {(B,Q) € TU | p € Q}, a nullary predicate lifting. Standard 
example formulas include the CTL-formula AF p = uX. (pVOX), which states 
that on all paths, p eventually holds, and the fairness formula vX. uY. ((p A 
OX) V OY), which asserts the existence of a path on which p holds infinitely 
often. 

2. We interpret the graded -calculus [21] over multigraphs [6], i.e. T-coalgebras 
for the multiset functor T = B, defined by 


BU) = {0 : U + NU {oo}} B(F)(9)(Y) = Lucu fuz (4) 


for sets U,V and functions f : U > V, 0 : U > NU {oo}. Thus B-coalgebras 
(C,€) assign multisets E(x) to states x € C, with the intuition that x has 
y € C as successor with multiplicity m if €(a)(y) = m. We use the modal 
similarity type A = { (m), [m] | m € NU{oo}} and define the predicate liftings 


[(m)]u(A) = {8 € BU) | OA) >m} [[m]]u(A) = {8 € BYU) | 0A) < m} 


for sets U and A C U, where 0(A) = X ac 4 9(a). E.g. a state satisfies vX. (WA 
(1)X) if it is the root of an infinite binary tree in which w is satisfied globally. 

3. Similarly, the two-valued probabilistic -calculus [4,24] is obtained by using 
the distribution functor T = D that maps sets U to probability distributions 
over U with countable support, defined by 


DU) = {d : U > (QNA (0, 1)) | Suey dlu) = 1}. 


Then T-coalgebras are just Markov chains. We use the modal similarity type 
A= {(p), lp] | p € QN (0, 1]} and define the predicate liftings 


[(p)Ju(A) = {4 € DU) | dA) >p} [plu (A) = {4 € DW) | dA) < p}, 


for sets U and A C U, where again d(A) = $ ac 4 d(a). 

4. We interpret the graded p-calculus with polynomial inequalities over the 
semantic domain from item 2 (i.e. multigraphs). We put A = {Lp b, Mp,» | 
p € Nso[X1,.--, Xn], b,n E€ N} (that is, p ranges over multivariate polynomi- 
als with positive integer coefficients) and define the predicate liftings 


) 
) 


[Lp eu (A1,-.-, An) = {0 € BYU) | p(6(A1),..., 
[Mp ou (41, or , An) = {0 E B(U) | p(O(Ay ee 


O(An)) < 6)}, 
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for sets U and Aj,..., An C U, where 0(A) = X ac 4 9(a). This logic subsumes 
the Presburger -calculus, that is, the extension of the graded -calculus with 
(monotone) linear inequalities, which may be seen as the fixpoint variant of 
Presburger modal logic [7]. E.g. the formula uY. (r V Lax, +x2,2(P^Y,q AY)) 
says that the current state is the root of a finite tree all whose leaves satisfy r, 
and each of whose inner nodes has nı children satisfying p and nə children 
satisfying q where 2n; +n2 > 2. One sees an apparent coding of the logic into 
the graded u-calculus, which however incurs exponential blowup. 

5. Similarly, we use the semantic domain from item 3, Markov chains, to 
obtain the probabilistic -calculus with polynomial inequalities [23]: We put 
A = {Lp b, Mpb | p E Q>olX1,.--, Xn],b € Qso0,n € N} (i.e. p ranges over 
polynomials) and 


[Lps]u(A1,-.-,An) = {d € D(U) | p(d(A1), ...,d(An)) > b} 


[Mp o]v (41, ae , An) = {d € DU) | p(d(Aj), aes ,d(Ap)) < b} 


for sets U and A1,..., An C U. This logic presumably does not encode into 
the probabilistic -calculus as in 3 above, and can express constraints on inde- 
pendent products of events (see also [25]). E.g. the formula vY. Lx, x,,0.9(pA 
Y,q ^Y) says roughly that two independently sampled successors of the cur- 
rent state will satisfy p and q, respectively, and then satisfy the same property 
again, with probability at least 0.9. 


(The modalities in the last two items are inevitably less general than in the 
corresponding next-step logics [7,23], due to the need to ensure monotonicity.) 


3 Tracking Automata 


We use parity automata (e.g. [13]) that track single formulas along paths through 
potential models to decide whether it is possible to construct a model in which 
all least fixpoint formulas are eventually satisfied. Formally, (nondeterministic) 
parity automata are tuples A = (V, X, A, qo, a) where V is a set of nodes; X is a 
finite set, the alphabet; A C V x X x V is the transition relation assigning a set 
A(v,a) = {u | (v,a,u) E€ A} of nodes to all v € V anda € X; qo € V is the initial 
node; and a : A — N is the priority function, assigning priorities a(v,a,u) € N 
to transitions (v,a,u) € A (this is the standard in recent work since it yields 
slightly more succinct automata). If A is a (partial) functional relation, then A 
is said to be deterministic, and we denote the corresponding partial function by 
ô: Vx Si =» V. The automaton A accepts an infinite word w = wo, w1,... E X® if 
there is a w-path through A on which the highest priority that is passed infinitely 
often is even; formally, the language that is accepted by A is defined by L(A) = 
{w e XY” | dp € run(A, w). max(Inf(a o p)) is even}, where run(A, w) denotes 
the set of infinite sequences (po, wo, p1), (p1, W1, P2),--. E€ A” such that po = qo 
and where, given an infinite sequence S, Inf(.S) denotes the elements that occur 
infinitely often in S. Here, we see infinite sequences p E€ U” over some set U as 
functions N — U and write p; to denote the i-th element of p. 
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We now fiz a target formula x and put no = |x|, nı = size(v). We let F 
denote the Fischer-Ladner closure [20] of x; i.e. F contains all formulas that 
can arise as subformulas when unfolding each fixpoint in x exactly once. We put 
k = max{ad(w) | y € F} and selections = P(F N A(F)) (F N A(F) is the set of 
modal literals in F). We have |F| < n and hence |selections| < 2”. 


Definition 2 (Tracking automaton). The tracking automaton for x is a non- 
deterministic parity automaton A, = (F, X, A, qo, a), where qo = x, 


X = {(vo V v1, b) E F x {0, 1}} U {(Yo A %1,0) € F x {O}}U 
{(nX. 1,0) E F x {0}} U selections , 


and for Y, po, Y1 € F, « € selections and b € {0, 1}, 


Aly, K) = {Yo EF | Y E€ KN A({yo})} 
A(y, (po V 41,b)) = {vo | Y = Yo V Y1} U {Y | Y # to V Yi} 
A(t, (Yo A ¥1,9)) = {0,41 | Y = po A Y1} U {Y |b E po Api} 
Aly, (nX. p1,0)) = [X > 4) | Y = nX. p1} U {Y | Y nX. pı} 


E.g. the last clause means that when tracking the unfolding of a fixpoint nX. Yı 
at w, we track w to the unfolding w1[X > 7] if y equals the unfolded fixpoint, 
and to w otherwise; similarly for the other clauses, and in particular a modal 
literal Y = Ovo is only tracked to Wo through a selection « if Ovo € k, ie. if K 
selects Ovo to be tracked. The priority function a is derived from the alternation 
depths of formulas, counting only unfoldings of fixpoints (i.e. all other transitions 
have priority 1). Formally, a(w,o, Y’) = 1 if y = y’ or ẹ is not a fixpoint literal; 
if w is a fixpoint literal and Y 4 wv’, then we put a(w,o, Y’) = ad(w). 


Intuitively, words from ©“ encode infinite paths through coalgebras (C,&) in 
which states x € C are labelled with sets I(a) of formulas, where letters 
k E€ selections encode modal steps from states x € C with label I(x) to states 
y € C with label {4 | Ob € KN U(x)}. The automaton is built to accept 
L(A,,) = BadBranch, where BadBranch, is the set of words that encode a path 
on which a least fixpoint formula 7 is unfolded infinitely often without being 
dominated by any outer fixpoint formula (i.e. one with alternation depth greater 
than ad(q)). Letters (Wo V %1,b) choose disjuncts according to b, while for let- 
ters (Wo A %1,0), the tracking automaton is nondeterministic, reflecting the fact 
that bad fixpoints can reside in either Yo or Yı. The automaton A, has size no 
and priorities 1 to k. Using a standard construction (e.g. [18]), we transform A, 
into an equivalent Büchi automaton of size nok. Then we determinize the Biichi 
automaton using, e.g., the Safra/Piterman-construction [80,32] and obtain an 
equivalent deterministic parity automaton with priorities 0 to 2ngk — 1 and size 
O(((nok)!)?). Finally we complement this parity automaton by increasing every 
priority by 1, obtaining a deterministic parity automaton B, = (D,, X, 6, vo, 8) 
of size O(((nok)!)?), with priorities 1 to 2nok and with 


L(By) = L(A,) = BadBranch, =: GoodBranch,, 
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i.e. By is a deterministic parity automaton that accepts the words that encode 
paths along which satisfaction of least fixpoints is never deferred indefinitely. We 
define a labelling function l: D, — P(F) mapping each state of B, (e.g. a Safra 
tree) to the set of formulas occurring in it. 


Remark 3. It has been noted that the standard tracking automata for 
alternation-free formulas are, in fact, Co-Biichi automata [10,16] and that 
the tracking automata for aconjunctive formulas are limit-deterministic par- 
ity automata [15]. These considerably simpler automata can be determinized to 
deterministic Büchi automata of size 3”° and to deterministic parity automata 
of size O((nok)!) and with 2nok priorities, respectively. This observation also 
holds true for the tracking automata in this work so that for formulas of suit- 
able syntactic shape, Lemma 11 below yields accordingly lower bounds on the 
runtime of our satisfiability checking algorithm. 


4 Global Caching for the Coalgebraic p-Calculus 


We now introduce a generic global caching algorithm for satisfiability in the 
coalgebraic p-calculus. Given an input formula x, the algorithm expands the 
determinized and complemented tracking automaton B, step by step and prop- 
agates (un)satisfiability through this graph; the algorithm terminates as soon as 
the initial node vo is marked as (un)satisfiable. The algorithm bears similarity to 
standard game-based algorithms for p-calculi [8,9,15]; however, it crucially devi- 
ates from these algorithms in the treatment of modal steps: Intuitively, our algo- 
rithm decides whether it is possible to remove some of the modal transitions as 
well as one of the transitions from each reachable pair ((Yo V1), 0), ((Wo V1), 1) 
of disjunction transitions within the automaton B, in such a way that the result- 
ing sub-automaton of By is totally accepting, that is, accepts any word for which 
there is an infinite run. In doing so, it is crucial that the labels of state nodes v 
in the reduced automaton are one-step satisfiable, in a sense introduced next, in 
the set of states that are reachable from v by the remaining modal transitions. 
Propagating (un)satisfiability over modal transitions thus involves one-step sat- 
isfiability checking, a functor-specific problem that in many instances can be 
solved in time singly exponential in size(y). In previous work [8], a variant of 
one-step satisfiability has been used in satisfiability games for coalgebraic u- 
calculi, which however leads to a doubly exponential number of modal moves for 
one of the players and hence does not yield a singly exponential upper bound on 
satisfiability checking (unless a suitable set of tableau rules is provided). 


Definition 4 (One-step satisfiability problem [26,33,35]). Let V bea finite 
set, let v C A(V) such that a 4 b whenever Ya, V2b € v, and let U C P(V). 
The one-step satisfiability problem for inputs v and U is to decide whether 
TU N [vu]: #0, where 


lvli = Ngaca llu E U | a E€ u}. 
We put size(v) = loge, size(Y), and denote the time it takes to solve the 
problem on v,U with size(v) = a and |V| = b (hence |U| < 2°) by t(a, b). 
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Remark 5. We keep the definition of the actual one-step logic as mentioned in 
the introduction somewhat implicit in the above definition of the one-step satis- 
fiability problem. One can see that it contains two layers: a purely propositional 
layer embodied in U, which postulates which propositional formulas over V are 
satisfiable; and a modal layer with nesting depth of modalities uniformly equal 
to 1, embodied in the set v, which specifies constraints on an element of TU. 


Example 6. For the standard modal p-calculus (Example 1.1), the one-step 
satisfiability problem is to decide for given v C A(V) and U C P(V) whether 
there is A € P(U) A [v], that is, a subset A C U such that for each Qa € v, 
there is u € A such that a € u, and for each Oa € v and each u € A, a € u. Here 
we have t(a,b) < a- 2° where a = size(v), b = |V|. For the graded p-calculus 
(Example 1.2), the one-step satisfiability problem is to decide for v, U as above 
whether there is a multiset @ € B(U) such that > O(u) > m for each 
(m)a € v and ) cujagu (u) < m for each [m]a € v. 


uceUlacu 


Definition 7 (States and Prestates). A node v of By is a state if its label 
contains only modal literals (/(v) C A(F)), and otherwise a prestate, in which 
case we fix Yẹ € I(v) \ A(F). We write states, prestates C D, for the sets of states 
and prestates, respectively. 


We next define 2ngok-ary set functions f and g that compute one-step 
(un)satisfiability w.r.t. their argument sets. 


Definition 8 (One-step propagation). For sets ŒG C D, and X = 
Xi, eee , X2nok = P(G)20% we put 


f(X) ={v € prestates | 4b € {0,1}. d(v, (bv, b)) E Xacw,(w,,b)) JU 
{v € states | T(Ur<iconok X i(v)) N Bo) #0} 
g(X) ={v € prestates | Vb € {0,1}. 6(v, (Yu, b)) E X gw, ba b) }U 
{v € states | T(Ui<i<2nok Xi(v)) N Ew) = 9}, 
where 4(v, (Yu, b)) abbreviates B(v, (Wy, b), O(v, (Yu, b))) and where 


Xi(v) = {l(u) | u € XG, dk € selections. ô(v, K) = u, B(v, k, u) = i}. 


Since for states v, I(v) C A(F) and X;(v) C P(F) for all i, one-step propagation 
steps for states are instances of the one-step satisfiability problem with |V| = |F], 
solvable in time t(n1, no) because size(I(v)) < nı and |F| < no. 


Definition 9 (Propagation). Given a set G, we put 


EG = Monok X nok- ++ 12X2-. X1.f (X) 
Ag = Mnok X 2nok 5 .. 2X2. X1.g(X), 


where X = Xj,...,Xangx for X; C G, where n; = u for odd i, 7; = v for even i 
and where Y = u and =v. 
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The set Eg contains nodes v € G for which there are choices for all disjunctions 
and modal transitions that are reachable from v within G (as indicated at the 
beginning of the section) such that the labels of all reachable states in the chosen 
sub-automaton of B, are one-step satisfiable and such that on all paths through 
the chosen sub-automaton, the highest priority that is passed infinitely often 
is even, the intuition being that no least fixpoint is unfolded infinitely often 
without being dominated. Dually, the set Ag contains nodes for which there 
exist no such suitable choices. 

We recall that vo € Dy is the initial state of the determinized and comple- 
mented tracking automaton By. The algorithm expands B, step-by-step starting 
from vo; for prestates u, the expansion step adds nodes according to the fixed 
non-modal formula Yy, that is to be expanded next (Definition 7), and for states, 
the expansion follows all (matching) selections. The order of expansion can be 
chosen freely, e.g. by heuristic methods. Optional intermediate propagation steps 
can be used judiciously to realize on-the-fly solving. 


Algorithm 10 (Global caching). To decide the satisfiability of the input for- 
mula x, initialize the sets of wnexpanded and expanded nodes, U = {vo} and 
G = 0, respectively. 


1. Expansion: Choose some unexpanded node u € U, remove u from U, and 
add u to G. If u is a prestate, then add the set {d(u,o) | o E YA (Yu x {0, 1})} 
to U. If u is a state, then add the set {8(u, x) | x € selections} to U. 

2. Optional propagation: Compute Eg and/or Ag. If vo € Eg, then return 

‘satisfiable’, if vo E€ Aq, then return ‘unsatisfiable’. 

If U £0, then continue with step 1. 

4. Final propagation: Compute Eg. If vo € Eg, then return ‘satisfiable’, other- 
wise return ‘unsatisfiable’. 


o3 


Lemma 11. Algorithm 10 runs in time O(((nok)!)4"°* - t(n1,no)). 


Proof. The loop of the algorithm expands the determinized and complemented 
tracking automaton node by node and hence is executed at most |D,| € 
O(((nok)!)?) C 20(rok lee 70) times. A single expansion step can be implemented 
in time O(2”°) since propositional expansion is unproblematic and for the 
modal expansion of a state u, all (matching) selections, of which there are 
(at most) 2”°, have to be considered. A single propagation step consists in 
computing two fixpoints of nesting depth 2nok of the functions f and g over 
P(D,)?"°* and can hence be implemented in time 2(|D,|?"°* - t(ni,n0)) € 
O(((nok!)?)2"0¥ -t(1, no)) C 2000k? log no+log(t(n1."0))) noting that a single com- 
putation of f(X) and g(X) for a tuple X € P(D,)?"°* can be implemented 
in time O(t(n1,no)) — this has been noted above for states, and prestates are 
unproblematic. Thus the complexity of the whole algorithm is dominated by the 
complexity of the propagation step. 


Corollary 12. If the one-step satisfiability problem of a coalgebraic logic can 
be solved in time t(a,b) exponential in a+ b on inputs v C A(V), U C P(V) 
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with size(v) = a, |V| = b, then the satisfiability problem of the corresponding 
coalgebraic -calculus is in EXP'TIME. 


Since the existence of a tractable set of tableau rules implies the required 
time bound on one-step satisfiability, the above result subsumes earlier bounds 
obtained by tableau-based approaches in [4, 15,16]; however, it covers additional 
example logics for which no suitable tableau rules are known. In particular we 
have 


Proposition 13. The satisfiability problems of the following logics are in 
EXPTIME: 


the standard j1-calculus, 

the graded p-calculus, 

the (two-valued) probabilistic p-calculus, 

the graded y-calculus with polynomial inequalities, 

the (two-valued) probabilistic -calculus with polynomial inequalities. 


as wer 


(Tractable sets of tableau rules have previously been claimed for the graded [36] 
and Presburger [22] jz-calculus but have since been discovered to be flawed [23].) 


Proof. It suffices to show that the respective one-step satisfiability problems 
can be solved on inputs v C A(V), U C P(V) with size(v) = a and |V| = b 
in singly exponential time in a + b, i.e. in time t(a,b) € 2?(¢+%) for p at most 
polynomial. E.g. for standard relational modalities, we have t(a,b) = a- 2° = 
2’+los 2 see Example 6. While the bounds can be established by relatively easy 
arguments (e.g. using known bounds on sizes of solutions of systems of real or 
integer linear inequalities) for all of our remaining example logics, we import 
them from previous work for brevity. For the one-step satisfiability problem of 
graded modal logic, by [21, Lemma 1], we have t(a,b) < (2-27 + 2)? < 2%+2b. 
the Lemma uses counters to check joint one-step satisfiability of constraints and 
directly extends to the one-step satisfiability problem of graded modal logic with 
monotone polynomial inequalities, in which case we require n counters for each 
n-ary polynomial. The bound for (two-valued) probabilistic modal logic (with 
polynomial inequalities) is shown in [23, Example 7]. 


Remark 14. We also obtain a polynomial bound on branching width in models 
for all our example logics simply by importing Lemma 6 and the observations in 
Example 7 from [23]. With the exception of the standard p-calculus, this bound 
appears to be new in all our example logics. Of course, for graded and Presburger 
p-calculi, polynomial branching holds only in their coalgebraic semantics, i.e. 
over multigraph models but not over Kripke models. 


5 Soundness and Completeness 


We now prove the central result, that is, the soundness and completeness of 
Algorithm 10. As the sets Eg and Ag grow monotonically with G, it suffices 
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to prove equivalence of satisfiability and containment of the initial node vo in 
E := Ep, . Our program is as follows: We show that vo € E if and only if there is 
a pre-semi-tableau (Definition 15) for x with unfolding timeouts (Definition 17), 
which in turn is the case if and only if x is satisfiable. We establish the latter 
equivalence by constructing a model for x from a given pre-semi-tableau with 
unfolding timeouts and, for the converse direction, extracting a pre-semi-tableau 
with unfolding timeouts from the model. 


Definition 15 (Pre-semi-tableau). Given a ternary relation RC Ax Bx A 
and a € A, b € B, we generally write R(a) = {a’ € A | Ib € B.(a,b,a’) € R} and 
R(a,b) = {a' € A | (a,b,a') € R}. Let W C Dy and put U = W N prestates and 
V = Wrsstates. Given a ternary relation L C W x X xW, the pair (W, L) is a pre- 
semi-tableau for x if the following conditions hold: L C 6; T(L(v)) A [U(v)]. # 
Ø for all v € V; for each u € U, there is exactly one b € {0,1} such that 
L(u, (Wu, b)) = {6(u, (Yu, b))}, and for all other o € X, L(u,o) = 9; and there 
is no L-cycle that contains only elements from U. A path through a pre-semi- 
tableau is an infinite sequence (vo, co), (v1, 01), ... E (W x X)” such that for all 
i, Vier E€ L(vi, oi). We denote the first state that is reachable by zero or more 
L-steps from a node v € W by [v] (since there is no L-cycle within U, such a 
state always exists). 


Given a state v, the relation L of a pre-semi-tableau thus picks a set L(v) of 
nodes in which l(v) is one-step satisfiable; given a prestate u, L picks a single 
(pre)state that is obtained from u by transforming the formula Yu. 


Definition 16 (Tracking timeouts). Given a path p = (vo, co), (v1, 01),--- 
through a pre-semi-tableau, we say that priority i occurs (at position j) in p if 
B(v;,0;,0;41) = i, recalling that ( is the priority function of the determinised 
and complemented tracking automaton B,. Then the path p has tracking time- 
outs M = (Manok,---;7™1) if for each odd 1 < i < 2nok, priority i occurs at 
most m; times in p before some priority greater than 7 occurs in p. Nothing is 
said about the m; for even i, which are in fact irrelevant and serve only to ease 
notation. A node w € W in a pre-semi-tableau (W, L) has tracking timeouts m 
if every path through (W, L) starting at w has tracking timeouts m. A pre-semi- 
tableau (W, L) has tracking timeouts if each w € W has tracking timeouts m for 
some mM. 


Intuitively, a pre-semi-tableau (W, L) has tracking timeouts if every word that 
encodes an infinite L-path through W is accepted by By. The next definition is 
geared towards characterizing non-acceptance by Ay: 


Definition 17 (Traces and unfolding timeouts). Let (W,L) be a graph 
with L C W x X x W and labeling function L: W — P(F). Given an L-path 
p = (vo, co), (¥1,01),-.. (with (vi, ci, Vi41) E L for i > 0) and a sequence of 
formulas ¥ = wo,W1,..., we say that W is a trace of Wo along p (we also say 
that p contains the trace W) if y; € U(v;) and wi41 E€ A(vi,o;) for all i. For 
i with Y; = 7X.w for some fixpoint variable X and some formula Y, we say 
that © unfolds at level ad(1;) at position i. Then the trace W has unfolding 
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timeout m E N for wo at level j if W unfolds at most m times at level j before 
W unfolds at some level greater than j. The path p has unfolding timeouts for 
wo at level j if there is, for all its traces W of Yọ, some m such that W has 
unfolding timeout m for po at level j. A node w € W has unfolding timeouts 
at level j for some formula w if every path through (W, L) that starts at w 
and that contains infinitely many steps (v;,0;) such that ø; € selections has 
unfolding timeouts for y% at level i. (Since fixpoint variables are by assumption 
guarded by modal operators, it suffices to require timeouts just for such paths 
that contain infinitely many modal steps.) A node w € W has unfolding timeouts 
mM = (Mpk, ..., Mı) for some formula w if every path through (W, L) that starts 
at w and that contains infinitely many steps (v;,0;) such that ø; € selections 
has, for each odd 1 <i < k, unfolding timeouts m for w at level i; again the 
unfolding timeouts for even i, that is, for greatest fixpoints, are irrelevant. The 
graph (W, L) has unfolding timeouts if for each element w € W and each formula 
w € I(v), there is some vector m such that w has unfolding timeouts m for Y. We 
denote the set of nodes that have unfolding timeouts m for y by uto(y, m) C W. 


A graph (W, L) has unfolding timeouts if for all words that encode an infinite 
L-path through (W, L), all runs of the nondeterministic tracking automaton A, 
on the word are non-accepting. We recall that a run of A, is accepting if it 
unfolds some least fixpoint infinitely often without having it dominated. 


Lemma 18. Let (W,L) be a pre-semi-tableau. Then (W, L) has tracking time- 
outs if and only if it has unfolding timeouts. 


Proof. We recall that By is obtained from A, by determinization and subse- 
quent complementation so that we have L(B,) = L(A,). The result thus follows 
directly from the fact that having tracking timeouts means that B, accepts all 
words that encode a path in (W, L) while having unfolding timeouts means that 
Ay does not accept any word that encodes a path in (W, L). 


Lemma 19. We have vo E E if and only if there is a pre-semi-tableau for x 
that has tracking timeouts. 


Combining Lemmas 19 and 18, we obtain 


Corollary 20. We have vo € E if and only if there is a pre-semi-tableau for x 
that has unfolding timeouts. 


We now show that satisfiability of x and the existence of a semi-pre-tableau for 
x with unfolding timeouts coincide. 
Definition 21. Given a pre-semi-tableau (W, L) with set of states V, we put 


[y] = {wEV |o) bed} ilm = WIN {ful €V | we utol, m)} 


where wv € F, where Fp, denotes propositional entailment and where m is a 
vector of k natural numbers. 
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Thus we have v € [y]m if there is a node u € W such that [u] = v and u 
has timeouts m for p. This serves to ease the proofs of the upcoming existence 
and truth lemmas as it anchors the timeout vector Mm at the node u instead of 
anchoring it at the state v which may not have timeouts ™ for Y% (namely, if a 
greatest fixpoint is unfolded on the L-path from u to v). 


Definition 22 (Strong coherence). Let (W, L) be a pre-semi-tableau with 
set V of states. A coalgebra C = (V, £) is strongly coherent if for all states v € V, 
for all formulas Ow € F and for all timeout-vectors m, 


a ee 


v € [Oy] implies €(v) € [O] Avl). 
Strongly coherent coalgebras exist over pre-semi-tableaux: 


Lemma 23 (Existence). Let (W, L) be a pre-semi-tableau with set of states V. 
Then there is a strongly coherent coalgebra over V. 


Since all least fixpoint literals are satisfied after finitely many unfolding steps 
in strongly coherent coalgebras with unfolding timeouts, they are models, i.e. 
satisfy all the formulas in their labels: 


Lemma 24 (Truth). In strongly coherent coalgebras that have unfolding time- 
outs, we have that for all Y € F, 


a 


[v] c [y]. 


Definition 25 (Timed-out satisfaction). Given sets U C W, a function f : 
P(W) — P(W) and an ordinal number A, we define f*(U) = U if A = 0, 
PU) = F(f~(U)) if A = X +1 and PU) = Upey FE(U) if À is a limit- 
ordinal. The target formula y is clean so that it contains, for each fixpoint 
variable X € V, at most a single fixpoint literal 7X.wo as a subformula; we 
denote this formula by 0(X). Given a coalgebra (C, €), a formula ~ and a vector 
A = (Ag,---,A;) of ordinal numbers, we define [y]ò = [y]; where i: V = P(C) 
is defined, for fixpoint variables X; that occur freely in w and for which we have 
0X5) = nX jbs, by (Xy) = (byl?) O) if n = y and by (X5) = Xb 
if 7 = v, where i'(X;) is undefined for j’ > j and where i'(X;) = i(X;-) for 
j’ < j. Again the timeouts for greatest fixpoint variables are irrelevant and serve 
only to ease notation. 


Definition 26 (Strongly supporting Kripke frame). Let (C, £) be a coal- 
gebra. For states x € C and formulas ~ such that x € [y], let Ay, denote the 
least vector of ordinal numbers such that x € [y]^. Also let, for Y € F, w be 
the subformula of x such that 7 is obtained from w by repeatedly replacing free 
variables X by 0(X). A graph (C, L) with L C Cx X x C and with labeling func- 
tion 1: C — P(F) such that I(x) = {4 € F | x € [y]} is a strongly supporting 
Kripke frame (for C,&) if 
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— for all y € F and z € C, if x ¢ [y], then L(x,(uv,b)) = Ø for b € {0,1}; 
if x € [4], then we distinguish upon the shape of w: if y = Wo V Yı, then 
we require L(x, (Y, b)) = {x} for exactly one b € {0,1} with x € [y,]** and 
L(x, (w,6)) = 0, where I = 0, 0 = 1; if Y = Yo A Y1 or Y = nX .ypo, then we 
require L(x, (%,0)) = {x}. 

— for all x € C and «k € selections, we have L(x, K) = {y} for some y € A= 


fewest "1 if AAO, and L(x, K) = Ø otherwise. 
Lemma 27. Every coalgebra has a strongly supporting Kripke frame. 


Definition 28. Given a coalgebra (C, £) with strongly supporting Kripke frame 
(C, L), a formula w and a valuation i: V + P(C), we define [y] by the same 
clauses as [y]; in all cases except the following: 


[vo V di]? ={a E€ C | x € [uo] 7,b € {0, 1}, L(x, (ġo V 91,8) = {2} 
[Vvo]; ={e €C | (Tae) (E(x)) € [P] ello] 1)} 


[uX.po]} ={2 € C | x has unfolding timeouts at level ad(uX.¢0) 
for uX.¢o in (C, L)}, 


where uX.po = uX.ġpo and Ypo V Yı = oo V di, and where gr : C > {yx | 
L(x, K) = {yx}} is defined by gz(c) = yx if and only if k = {Ow € F | c € [y]}. 


Strongly supporting Kripke frames have unfolding timeouts: 


Lemma 29. For all coalgebras (C,€) with strongly supporting Kripke frame 
(C, L), all formulas p and all valuations i: V + P(C), we have [wi € [WIF.- 


Lemma 30 (Soundness). Let x be satisfiable. Then a pre-semi-tableau for x 
with unfolding timeouts can be constructed over a subset of Dy. 


Proof (Sketch). By Lemmas 27 and 29, any model of x has a strongly supporting 
Kripke frame (C, L) with unfolding timeouts. We derive a pre-semi-tableau for 
x from (C, L), inheriting unfolding timeouts. 


Corollary 31 (Soundness and completeness). We have 
vo € E if and only if x is satisfiable. 


Our model construction moreover yields the same bound on minimum model 
size as in earlier work on the coalgebraic ji-calculus [4]: 


Corollary 32 (Small model property). Let x be a satisfiable coalgebraic u- 
calculus formula. Then x has a model of size O(((nk)!)?) € 20(r* 8”), 
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6 Conclusion 


We have shown that the satisfiability problem of the coalgebraic -calculus is 
in ExPTIME, subject to establishing a suitable time bound on the much sim- 
pler one-step satisfiability problem. Prominent examples include the graded u- 
calculus, the (two-valued) probabilistic y-calculus, and extensions of the prob- 
abilistic and the graded p-calculus, respectively, with (monotone) polynomial 
inequalities; the ExPTIME bound appears to be new for the last two logics. We 
have also presented a generic satisfiability algorithm that realizes the time bound 
and supports global caching and on-the-fly solving. Moreover, we have obtained 
a polynomial bound on minimum branching width in models for all example 
logics mentioned above. 
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Abstract. Inductive-inductive types are a joint generalization of mutual 
inductive types and indexed inductive types. In extensional type theory, 
inductive-inductive types can be constructed from inductive types, and 
this construction has been conjectured to work in intensional type theory 
as well. In this paper, we show that the existing construction requires 
Uniqueness of Identity Proofs, and present a new construction (which 
we conjecture generalizes) of one particular inductive-inductive type in 
cubical type theory, which is compatible with homotopy type theory. 


1 Introduction 


Inductive-inductive types allow for the mutual inductive definition of a type and 
a family over that type. As an example, we can simultaneously define contexts 
and types defined in a context, with dependently typed context extension: 


Ctx : Type, Ty : Ctx — Type, 
e : Ctx, U: (T : Ctx) > Ty T, 
ext : (I : Ctx) — Ty I —> Ctx, EL: (T : Ctx) > Ty (ext I (UT)). 


Such definitions have been used for example by Danielsson [9] and Chapman 
[5] to define intrinsically typed syntax of a dependent type theory, and Agda 
supports such definitions natively. 

These types have been studied extensively in Nordvall Forsberg [15]. There, 
in §5.3, inductive-inductive types with simple elimination rules (defined in op. 
cit. §3.2.5) are constructed from indexed inductive types in extensional type 
theory, and in §5.4 this is conjectured to work in intensional type theory as well. 

In this paper, we first show that this construction does not work in intensional 
type theory without assuming Uniqueness of Identity Proofs (UIP), which is 
incompatible with the Univalence axiom of Homotopy Type Theory [18]. We 
then give an alternate construction in cubical type theory [6], which is compatible 
with Univalence. Specifically, this paper makes the following contributions:! 


1 The formalization can be found at https://github.com/jashug/ConstructingII. 
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1. In Sect. 2, we show that, in intensional type theory, if the types constructed 
by Nordvall Forsberg satisfy the simple elimination rules, then UIP holds 
(formalized in both Coq and Agda). 

2. In Sect. 3, we give the construction of a particular inductive-inductive type 
with simple elimination rules in cubical type theory (formalized in cubical 
Agda). 


1.1 Syntax and Conventions 


We mostly mimic Agda syntax. The double bar symbol = is used for definitions 
directly and by pattern matching, and for equality of terms up to conversion. 
We write (a : A) — B for the dependent product type, and A — B for the 
non-dependent version. Functions are given by pattern matching f x = y or by 
lambda expressions f = Ax.y. Similarly (a: A) x B is the dependent pair type, 
and A x B the non-dependent version. Pairs are (a,b), and projections are p.1 
and p.2. The unit type is T, with unique inhabitant x. Identity types are z =x y 
for the type of identifications of x with y in type X, and we write ref1 for a 
proof of reflexivity. We do not assume that axiom K holds for identity types. We 
write Type for a universe of types (where Agda uses Set). In Sect. 3 we work in 
cubical type theory, which will be explained there. 


1.2 Running Example of an Inductive-Inductive Definition 


For the purposes of this paper, we will focus on one relatively simple inductive- 
inductive definition (with only 5 clauses), parametrized by a type X, which is 
given in Fig.1. We will use this definition to prove that Nordvall Forsberg’s 
construction implies UIP in Sect.2 and as a running example to demonstrate 
our construction in cubical type theory in Sect. 3. 

Our example starts with the simplest inductive-inductive sorts, taking A : 
Type and B: A — Type, and then populates A and B with simple constructors 
which suffice for our proof of UIP. We have inj, which is supposed to give exactly 
one element of each B a, while ext lets us mix Bs back into the As (mirroring the 
type of context extension), and 7 gives us something to start with: one element of 
A for each element of X (following the use of 7 in [15, Example 3.3]). The proof 
of UIP in Sect. 2 proceeds by considering the type B (ext (7 x) (inj (7 x)) 
for some x : X, and noticing that, while the simple elimination rules tell us 
that there should only be one element of this type (given by inj), in Nordvall 
Forsberg’s construction there are actually as many as there are proofs of x =x a. 

Our goal in this paper is to construct (A, B, n, ext, inj) of the types given in 
Fig. 1 such that the simple elimination rules hold without using UIP. But first, 
we will show why Nordvall Forsberg’s approach is not sufficient. 


2 Deriving UIP 


Uniqueness of Identity proofs (UIP) for a type X is the principle that, for all 
x: X, y: X, p: Tz =x y,q: x =x y, the type p =r=xy 4q is inhabited. 
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Given X : Type, we consider the inductive-inductive definition 
A: Type, 
B : A — Type, 
n: X >A, 
ext : (a: A) > Ba > A, 
inj: (a: A)> Ba. 
This has simple elimination rules stating that for all motives (PA, PB) and methods 
(Pn, Pext, Pinj) 
PA: A —> Type, 
PB : (a: A) > B a —> Type, 
Pn : (x: X) > PA (q x), 
Pext : (a: A) > PA a > (b: Ba) > PB a b > PA (ext a b), 
Pinj : (a: A) > PA a —> PB a (inj a), 
we have eliminators (EA, EB) satisfying equalities (En, Eext, inj). 
EA: (a: A) > PA a, 
EB : (a: A) > (b: Ba) > PB ab, 
En: (x : X) —> EA (n £) =pa (n z) Pn, 
Eext : (a : A) > (b : B a) > 
EA (ext a b) =pa (ext a b) Pext a (EA a) b (EB a b), 
Einj: (a: A) > EB a (inj a) =pB a (inj a) Pinj a (EA a). 


Fig. 1. Running example 


Equivalently, for all x : X, p : x =x x, the type p Æ=r=xx refl is inhabited. It 
expresses that there is at most one proof of any equality. UIP is independent of 
standard intensional type theory [13], and is inconsistent with Homotopy Type 
Theory [18]. 

Nordvall Forsberg’s construction of inductive-inductive types is described in 
[15, §5.3]. In this section, we show that if the simple elimination rules hold for 
this construction of the inductive-inductive type in Fig. 1, then UIP holds for the 
type X (Theorem 1). This argument has been formalized in both Coq version 
8.8.0 [8] (see UIP_from Forsberg II.v) and Agda using the --without-K flag 
(see UIP_from_ Forsberg II.agda). 

To recap, Nordvall Forsberg [15, §5.3] constructs an inductive-inductive type 
by first defining an approximation (the pre-syntaz) which drops the A index 
from B leaving a mutual inductive definition. Concretely, we have Apre and Bpre 
defined as in Fig. 2. Then a mutual indexed inductive definition is used to define 
the index relationship between Apre and Bpre; these are the goodness predicates 
Agooa and Bgooa. Finally, the inductive object (A, B,ņ, ext, inj) is defined by 
pairing the pre-syntax with goodness proofs (see Fig. 3). 

In extensional type theory, Nordvall Forsberg proved that Agooa a is a mere 
proposition (all inhabitants are equal) [15, Lemma 5.37(ii)]. In intensional type 
theory as well, if function extensionality and UIP hold then Agooq is a mere 
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Dropping the inductive index from B leaves a mutual inductive definition. 


Apre : Type, 
Bpre : Type, 
Npre : X —> Apre, 
eXtpre : Apre > Bpre > Apre, 


injora ` Apre > Bore. 


Fig. 2. Pre-syntax for the running example 


A mutual indexed inductive definition is used to define the index relationship 
between Apre and Bpre: 

Agood : Apre + Type, 

Bgood : Apre —> Bpre + Type, 

Ngood : (x : X) —> Agood (Npre T), 


eXtgood : (Apre : Apre) —> Agood Apre > 
(bpre : Bpre) -=> Bgooa Apre bpre T Agood (extpre Qpre bpre), 
IN good ` (apre : Apre) —> Agood Apre —> Bgood Apre (inj pre apre). 


The inductive-inductive object is defined as 


A= (apre : Apre) x Agood Qpre, 
B (apre, Qgood) = (bpre : Bpre) x Bgood Qpre bpre, 
nN T = Npre T, Ngood T, 
ext (âpie; Qgood) (bpre, bgooa) = exXtpre Qpre bpre; eXt good Apre Agood bpre bgood; 
inj (apre, Agood) = injpre Apre; ANF good Apre Agood. 
Here, the sorts A and B are defined as pairs of the pre-syntax with a goodness proof, 


and operations are performed component-wise on both the pre-syntax and the 
goodness proof (using sort and operation in their algebraic sense). 


Fig. 3. Construction given by Nordvall Forsberg 


proposition. This uniqueness of goodness proofs justifies having the definition of 
B ignore the goodness proof @good, SINCE Agooa can have at most one value. 
In the next two subsections, we prove that: 


1. If Agooa a is a mere proposition then UIP holds for the type X (Lemma 2). 
2. If the simple elimination rules from Fig.1 hold for the (A, B,7, inj, ext) 
constructed above then Agooa a is a mere proposition (Lemma 5). 


Combining these results, we conclude that Nordvall Forsberg’s construction sat- 
isfies the simple elimination rules in intensional type theory only if UIP holds 
(Theorem 1). 
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2.1 Unique Goodness Implies UIP 
We define notation (x == y) to mean the term 
eXtpre (Npre £) (ADF pre (pre Y)) : Apre- 


We first prove that there are at least as many proofs of Agooa (x == y) as there 
are of £ =x y. 


Lemma 1 (x =x y is a retract of Agooa). For all x : X and y : X, there are 
functions 


f: x£ =x y > Agoa (£ == Y), 9: Agooa (£ == y) > £ =x y, 
such that for alle: x =x y, g (f e) =e. 
Proof. To define f, we let f refl = 
EXtgood (Mpre T) (Ngood T) (injpre (Mpre X)) (injgooa ("pre T) (Ngooa £)). 
To define g, pattern matching on agooa has only one possibility: @good = 
EXtgood (Mpre Z) (Ngood T) (injpre (Mpre Z)) (injgooa ("pre T) (Ngood X)), 


forcing y to be x, and in this case x =x y holds by reflexivity. Then when 
e = refl, f e returns a proof in the format matched by g, so g (f ref1) = refl, 
and thus g (f e) = e. 


Lemma 2 (Unique goodness implies UIP). If Agooa t is a mere proposition 
for allt: Apre, then UIP holds for the type X. 


Proof. Assume goodness proofs are unique, and take x: X, y : X, with p: £ = y, 
q: x =y. We want to show that p = q. Using the f and g from Lemma 1, 


p=g (fp) by Lemma 1 
=g(fq) by uniqueness in Agooa (£ == y), f P= fq 
=q by Lemma 1. 


2.2 Simple Elimination Rules Imply Unique Goodness 


Now we prove that there are at least as many proofs of B (tpre, tgooa) as there 
are of Agood tpre- 


Lemma 3 (Agooa is a retract of B). For all tpre : Apre and tgood : Agood tpres 
there are functions 


f : Agood tore >B (tores tgood), g: B (tores tjead) E A good tpre 


such that for all agood : Agood tpre; 9 (f good) = agood- 
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Proof. We define f dgood = inj re tpre; iNjeooa tpre Ggood- By induction on 
B00 P 8 
Bgooa, we define a function 


g : (apre : Apre) EE (bpre : Bpre) EE Bgooa Apre bpre = Agood Apre 
taking 
g Apre (inj pre apre) (injsobd Apre agood) = Agood: 
Then we can define g (Dpre, bgood) = g tpre bpre bgood- Then g (f good) = Agood 
holds by reflexivity. 


Lemma 4 (B a is contractible). Assuming the simple elimination rules from 
Fig. 1 hold for the (A, B,n, inj, ext) constructed above, for alla: A andb: Ba, 
injad=Bpabd. 


Proof. Referring to the simple elimination rules given in Fig. 1, we pattern match 
on B by giving motives (PA, PB) and methods (Pn, Pext, Pinj), and then using 
the resulting EB. 

We set PA a = T, and take PB ab = inj a =p a b. Then we have Py x = x, 
and Pext a x b H =x, and we take Pinj a x = refl: inj a =g a inj a. The 
conclusion follows by EB : (a: A) > (b : Ba) > inj a =B a b. 


Lemma 5 (Simple elimination rules imply unique goodness). If the sim- 
ple eliminators hold for the (A, B,n, inj, ext) constructed above, then for all 
t: Apre; Agooa t is a mere proposition. 


Proof. Assume that the simple elimination rules hold, and take t : Apre, and a1 
and ag in Agoog t. We use the definition of f and g from Lemma 3 with tpre = t 
and tgood = qı. 

By Lemma 4, we know that 


inj (t, a1) =B (t,a,) f a2- 


Applying g to both sides, and recognizing that g (inj (t,a1)) computes to a1, 
while g (f a2) computes to az we find that 


aı =g (inj (t,a1)) =A,,.at 9 (f a2) = a2. 


2.3 Simple Elimination Rules for Nordvall Forsberg’s Construction 
only if UIP 


Theorem 1. If the simple elimination rules hold for Nordvall Forsberg’s con- 
struction, then UIP holds for the type X. 


Proof. Compose the results of Lemmas 2 and 5. 


Therefore Nordvall Forsberg’s approach to constructing inductive-inductive 
types requires UIP. Since UIP is inconsistent with the Univalence axiom at the 
center of Homotopy Type Theory (HoTT) [18], we have an incentive to come up 
with a different construction which is consistent with HoTT. 
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3 Constructing an Inductive-Inductive Type in Cubical 
Type Theory 


Cubical type theory [6] is a recently developed type theory which gives a con- 
structive interpretation of the Univalence axiom of Homotopy Type Theory. It 
has an implementation as a mode for Agda [19], which we use to formalize the 
construction given in this section of the running example from Fig. 1. 

The most important difference between cubical type theory and standard 
intensional type theory as implemented by Coq or vanilla Agda is that the iden- 
tity type x =x y is represented (loosely speaking) by the type of functions p 
from an interval type I with two endpoints 79 and 7, to X such that p io reduces 
to x and p 2, reduces to y. This allows, for example, a simple proof of function 
extensionality: if we have A: Type, B : A — Type, f and g functions of type 
(a: A) > Ba, and h: (a: A) > f a= ga, then we have (Xi.Aa.h ai): f =g. 
Taking cong f = Ap.Ai.f (pi): £x = y — f x = f y and o for function composi- 
tion, we also have nice properties such as (cong f) o (cong g) = cong (f o g). 

In this section, we construct the running example from Fig. 1, along with the 
simple elimination rules, in cubical type theory. Our construction proceeds in 
several steps: 


— In Sect.3.1, we approximate by dropping the indices, leaving a standard 
mutual inductive definition called the pre-syntaz. This is the same as the 
pre-syntax given in Fig. 2. 

— In Sect. 3.2, we define goodness algebras, collections of predicates over the pre- 
syntax which define the index relationship (analogously to Agooa and Bgood 
from Sect. 2). We also show that a goodness algebra exists, and call it O. 

— In Sect. 3.3, we define a predicate nice on goodness algebras, such that if we 
have a nice goodness algebra, then we can construct the simple elimination 
rules. Being nice is similar to having proofs of goodness be unique as in Sect. 2. 

— In Sect. 3.4, we use pattern matching over the pre-syntax to define a function 
S from goodness algebras to goodness algebras. 

— In Sect.3.5, we define the limit of the sequence 


O, S 0,8 (S0),...,8"O,... 


and show that it is nice. This is the only section that utilizes the differences 
between cubical type theory and standard intentional type theory. 


Given the nice goodness algebra in Sect.3.5 we can then construct the sim- 
ple elimination rules by Sect.3.3. This construction has been formalized 
in Agda? using the --cubical flag which implies --without-K (see Running 
Example.agda). 

The intuition for our construction is that the Nordvall Forsberg’s approach 
of pairing an approximation with goodness predicates can be repeated, and each 
time the approximation gets better. Using HoTT terminology, we showed in 


? Agda version 2.6.0 commit bd338484d. 
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Sect. 2 that one iteration suffices only if X has homotopy level 0 (is a homotopy 
set, satisfies UIP). In general, n + 1 iterations are sufficient if only if X has 
homotopy level n. The successor goodness algebra defined in Sect. 3.4 is a slightly 
simplified version of Nordvall Forsberg’s construction, and taking the limit (in 
Sect. 3.5) gives a construction which works for arbitrary homotopy levels. 


3.1 Pre-syntax 


The pre-syntax is the same as that used in Sect. 2, defined as a mutually inductive 
type in Fig. 2. The constructors of the pre-syntax have the same types as the 
constructors of the full inductive-inductive definition (given in Fig. 1), except we 
replace B a with Bpre everywhere, ignoring the dependence of B on A. 

Consider this as the closest approximation of the target inductive-inductive 
type by a standard inductive type; the dependence of B on A is the only new ele- 
ment that inductive-inductive definitions add. Of course, this is only an approx- 
imation. We can form elements of the pre-syntax, such as 


extpre (pre £) (ing pre (pre Y)) 


for « # y that should be excluded from the inductive-inductive formulation, 
since inj (n y) : B (ny) while ext (n x) : B(n x) > A. 

We will use definitions by induction and by pattern-matching on the pre- 
syntax in sections Sects. 3.3 and 3.4 respectively. 


3.2 Goodness Algebras 


As we saw in Sect. 3.1, the pre-syntax is too lenient, and contains terms we 
want to exclude from the inductive-inductive object. In this section, we define 
a notion of sub-algebra of the pre-syntax, which we will call a goodness alge- 
bra, and explain how to combine a goodness algebra with the pre-syntax to 
get an inductive-inductive object (A, B,ņ, ext, inj). We also define a goodness 
algebra O. 

In Fig. 4, for each clause of the inductive-inductive specification, we define 3 
things: 


1. For each sort X a type Ix X giving the data X depends on, and for each 
operation F constructing an element of sort X, a family Arg F : Y — Ix X —> 
Type where Y collects the arguments of the operation in the pre-syntax, where 
Arg F y ¢ gives the data needed to justify that pre-syntax constructed by Fpre 
from y has index ¢. In later sections we will also write Ix X 5° and Arg F ôC 
to specify which goodness algebra we are working in. 

2. The type of the corresponding component in the goodness algebra. For sorts, 
this is a predicate relating Ix and the pre-syntax, while for the operations, 
this is a function witnessing that each element of Arg gives a goodness proof 
relating the index ¢ to the pre-syntax. 
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For our running example from Figure 1, a goodness algebra is the type of tuples of 
6° = (69.A, 6° .B, 5° n, 6° ext, 6° inj) 


with the types defined below. Simultaneously, we define how to combine a goodness 
algebra 6° with the pre-syntax to construct an inductive-inductive object 
(A, B,n, ext, inj). 
IxA=T, 
6°.A: Ix A > Apre > Type, 
A= (a: Apre) X Axa 
Ix B = A, 
6°.B:IxBo Bore —> Type, 
B ġ = (b : Bore) x 6°.B $b, 
Argn gz ọ = T xx =ixaA È, 
6° .n: (x: X) > (¢: Ix A) > Argn z ọ > Ag (Npre Z), 


nN T= Npre T, Sna x (x,ref1), 


Arg ext (a,b) ġ = ((a° : F.A x a) x 6°.B (a,af) b) X * =a &, 

ôF .ext : (p: Apre X Bpre) > (¢ : Ix A) > 

Argext pd > 6°. Ad (extpre p), 
ext ((apre, @good), (bpre, bgooa)) = 
eXtpre Apre Dpre, ÔC .eXt (apre, bpre) * ((agood, bgooa), ref1), 
Arg inj a ġ = (af :69.A x a) x (a, aÔ) =e Q, 

ôf .inj : (a: Apre) > (¢ : Ix B) > Arg inj a ġ > ôÔ.B ẹ (injpre 4), 

inj (apre, @good) = inj pre Apre, 6° inj apre (Apre, Agood) (@gooa, refl). 
We also define the goodness algebra O by 


O.Aga=T, OBddb=T, 
Onzdt=x, O.ext (a,b) ọ t =x, O.injagt=x. 


Fig. 4. Goodness algebras 


3. A way to combine the goodness algebra with the pre-syntax to form an 
inductive-inductive object. For sorts, we pair the pre-syntax with a good- 
ness proof, while for operations we apply the operation given by the goodness 
algebra, mimicking the construction in Fig. 3. 


Comparing this definition to the construction in Sect. 2, the mutual inductive 
definition of Agooa and Boog (in Fig.3) has types equivalent to the result of 
dropping the dependence of 5%.B on F.A (defined in Fig. 4), going from 


304 J. Hugunin 


6°.B: (a: Apre) X C.A x a—> Bpre > Type to Bgood : Apre > Bpre > Type. 


The other difference is that we replace the inductive index (call it s) in the 
conclusion by a fresh variable ¢, with the condition s = ¢ included in Arg. 


3.3 Niceness 


In this section, we identify a property niceness that is sufficient for a good- 
ness algebra to produce an inductive-inductive object (A, B, n, ext, inj) which 
satisfies the simple elimination rules, as given in Fig. 1. 

To define niceness, we use the concept of equivalence, as defined in Uni- 
valent Foundations Program [18] (§4.4 Contractible fibers). Given a function 
f: A — B, we write isEquiv f (leaving A and B implicit) to denote that f is an 
equivalence between A and B. We will also write A ~ B for the type of pairs of 
a function f with a proof that f is an equivalence. 

We will say that a goodness algebra is nice if we have equivalence proofs 
(6% .n, ON ext, 6% inj), with types 


ON 1 x b: isEquiv (6°. z $), 
ôN ext (a,b) ¢ : isEquiv (ôf ext (a,b) ¢), 
ôM inj ao: isEquiv (6° inj a ¢). 

Equivalences between types are very close to equalities between types (the 
Univalence axiom makes this precise). If we have a nice goodness algebra, the 
combined data looks similar to a recursive definition: 

C.A: T SS Apre — Type, 

6°.B: ((a: Apre) x F.A x a) > Bore — Type, 

5A $ (pre 2) = Agen £ 6, 
6°.A @ (extpre a b) ~ Arg ext (a,b) ¢, 
6°.Bo (injpro @) S Arg inj a ¢. 

However, the dependence of 5@.B on C.A makes this what Nordvall Forsberg 
calls a “recursive-recursive” definition, and so we cannot use the standard elim- 
inator of the pre-syntax. In Sect. 3.5, we will expend much effort to construct 
a solution to this system. Once we have done so, the inductive-inductive object 


produced by the goodness algebra will satisfy the simple elimination rules, as we 
show in the following lemma. 


Lemma 6 (Nice goodness algebras give simple elimination rules). 
Given a goodness algebra 5° with proof of niceness ON, the inductive-inductive 
object (A, B, n, ext, inj) produced from 5° as specified in Sect. 3.2 satisfies the 
simple induction rules given in Fig. 1. 
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Proof. The proof is formalized in RunningExample.agda. The main idea of the 
proof is to induct on the pre-syntax, and exploit the equivalences provided by 
niceness 6%. In the inj case for example, we have a proof of 6°.B @ (inj pre): 
But without loss of generality, we can replace that goodness proof with 6¢.inj 
applied to an element of Arg inj a ¢, which contains both a proof dgooa : C.A x 
a and a proof that (a, agooa) = $. Using J to eliminate that equality leaves a 
goal to which the provided simple induction step for inj applies. This proof does 
not use cubical type theory in any essential way. 


3.4 Successor Goodness Algebra 


We are trying to create a nice goodness algebra by taking the limit of successive 
approximations, so we need a step function, which we will call S, that takes a 
goodness algebra Č and returns a new goodness algebra S 6°, which is closer 
in some sense to being nice. We do so by pattern matching on the pre-syntax to 
unroll one level of the recurrence equations niceness encodes. 

We define by pattern matching 


(E 6°).A: (a: an (p: Ix A ôF) > (Y : Type) x (Y > 6°.A da), 
(E 6°).B: (b : Bpre) > (¢: Ix B ôF) > (Y : Type) x (Y > 5°.B 6), 
(E 5°).A (npre £) = Ad. Arg n F x o, ôF .n z 6, 
(E 8f). A (extpre a b) = Ad. Arg ext 5° (a,b) 6, 8C .ext (a,b) 4, 
(E 5°).B (injpre @) = Ag. Arg inj 6° a b, 6°.inj a ¢, 


which gives a new property Y which maps back to 6°.B ¢ b for each b and 4, 
and similarly for A. 

Then, in Fig.5, we define the new goodness algebra (S 6°) along with pro- 
jection functions (67 6%) which take Ix and Arg from (S 5°) to 6°. 

The projection functions (6* 6%) consist of applying the map given by the 
second component of (E 6°) everywhere in sight. The sorts are then defined by 
the first component of (Æ 6°), while the operations can be defined to be the 
corresponding projection function itself. 

Concretely, for the sort B, we define (6" 6“).B to map between Ix B (56°) 
and Ix B 6°. This consists of applying the function ((E 6°).A apre * .2) which 
we defined by pattern matching above to dgooa. Then, since (S 5¢).B gets an 
inductive index ¢ in (S 5@) but ((E 6°) b ¢ .1) is expecting an inductive index 
in 6°, we span the gap with the projection function (57 5°).B just defined. The 
definition of A follows the same pattern, but (57 6°).A is even simpler because 
Ix A 6% = T regardless of what goodness algebra we are working in. 

For the operations, consider inj. Like with the sorts, we first define a projec- 
tion function (67 6°).inj a ¢, which maps from Arg inj (S ôC) to Arg inj 5%, 
and we fix up the inductive index ¢ with (6" 6¢).B. For the first component of 
Arg, we use the function given by the second component of (E 5@).A to fix up 
good: For the second component, applying the projection (6” 6@).B to the equal- 
ity proof works out on the left hand side because all these projection functions 
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We define the successor algebra (S ôF) along with projection functions (6* 6°) by: 
(87 6°).A : Ix A (S 6%) > Ix ASS, 
(67 ôF). A= Axx, 
(S 5°).A ġa = (E ôF).A a ((5" 6%).A $) 1, 
(67 6°).B : Ix B (S 6°) > IxB 6%, 
(87 5°).B = A(apre, agood). (apre, (E SF). A apre * .2 agood), 
(S 6°).B ġ b = (E 6°).B b ((5" 6°).B ẹ) 1, 
(07 6°).n x $: Argn (S 5°) a > Argn 5° x ((5" 6°).A 4), 
(5" 6°).n æ $ = A(x, p). (x, cong ((5" 6°).A) p), 
(S 6°). a = (87 6°).n x Q, 
(87 6°).ext (a,b) ġ : Argext (S 5°) (a,b) o > Arg ext 5° (a,b) ((57 5°).A 4), 
(67 5°).ext (a,b) $ = A((Agooa, bgooa), p). let aF := (E 5%).Aa x .2 agooa in 
((a%, (E 6°).B b (a, af) .2 bgooa), cong ((6" 6°).A) p), 
(S 6°).ext (a,b) ġ = (87 6%).ext (a,b) 4, 
(87 6°).inj ad: Arg inj (S 5°) ad > Arg inj 5° a ((6" 5°).B 6), 
(67 5°).inj ad = A(agooa, p).((E 6°). A a x .2 agooa, cong ((6” 5°%).B) p), 
(S 5°).inj ad = (5 5°).inj ag. 


Fig. 5. Successor goodness algebra 


are doing the same thing: applying the function given by the second component 
of (E 6°) everywhere. Finally, we can define (S 5@).inj = (6" 6°).inj, because 
(S 6¢).inj a ¢ is supposed to have codomain 


(S.5°).B ¢ (injpre 4), 
which is defined to be 
(E ô9).B (injpre 4) ((" 89).B 8) <1, 
which reduces on (injpre @) to 
Arg inj 6% a ((6" 5°%).B 6), 


which is exactly the codomain of (67 6@).inj a ¢. 


3.5 Limit of Goodness Algebras 


We will now construct a nice goodness algebra by taking the limit of the sequence 
S” O and showing that it is nice, where S” O is defined by recursion on n with 
SPO = O, S'*"O = S(S” O). But first, we consider the limit of a chain of types. 
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Limit of Types. This subsection Limit of Types is formalized in Chain. agda. 
In order to take the limit of successive goodness algebras, we need to know 

how to work with chains of types. Specifically, given (X : N — I — Type) and 

m:(n:N)—> X (n+1) t9 — X ni1, we consider the limit given by the type 


chain.t X t= (f: (n:N)—> X nio) x (nm: N) > fn=xnan(f (n+1)). 


If we have x: chain.t X a, then let z.p denote the second projection. 

This definition is designed to work well in cubical type theory, and uses the 
interval I and native heterogeneous equality x =x y where X : I — Type (where 
we can form p = Ai.w : x =x y when p ip = x, p i1 = y, and pi: X i). In 
particular, this definition allows for dependent chains without transporting over 
the base equality, which is problematic in cubical type theory because transport 
gets stuck on neutral types; instead given 


A:N-— Type with fa: (n:N)>A(1+n)>An and 
B : (n: N) > An — Type with 
fe:(n:N)—>(a:A(1+n))>B(1+n)a—>Bn (fana), 


we can form 


LA = chain.t (An. Ai. A n) fa ‘Type, 

LB = da.chain.t(An.cong(B n)(a.p n))(An. fe n (a.p (1 +n) io)) :LA— Type 

using cong(B n)(a.p n) which is particularly well behaved in cubical type theory. 
This construction commutes with most type formers: dependent function 

types, dependent pair types, identity types, and constants. We also note a depen- 


dent version of the fact that the limit of a chain is equivalent to the limit of a 
shifted chain to substitute for Ahrens et al. [1, Lemma 12]. 


Lemma 7 (Dependent chain equivalent to shifted chain). Given 
X :N— Type, tx :(n:N) > X (l4+n) > Xn, 
Yo: (n : N) > X n= Type, Yı : (n : N) > X n = Type, 
f:(mn:N)>(z:Xn)>Yinrt>Yonr, 
g:(n:N) > (@: X (L4+n)) > Yo (1+n)xz—>Y n (rxn z), 
x: chain.t (An.Ai.X n) Tx, 

and letting the X arguments to f and g be implicit, we can define the types 


t = chain.t (An.cong (Yo n) (x.p n)) (An.Ay.f n (gn y)), 
tt = chain.t (An.cong (Yi n) (xp n)) (An.ày.g n (f +n) y)). 


Applying f component-wise gives a function from t* to t. This function is an 
equivalence. 


We only use Lemma 7 when Yı n (7x n x) = Yo (1 +n) z, so we may take g to 
be the identity, leaving t* the shifted chain of t up to X arguments. 
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Limit of Goodness Algebras. Now we use the lemmas about chains to con- 
struct a nice goodness algebra, and then conclude by constructing an inductive- 
inductive object (A, B,ņ, ext, inj) that satisfies the simple elimination rules. 


Lemma 8. A nice goodness algebra exists. 


Proof. The sorts of the limit goodness algebra are defined as a chain, and opera- 
tions act pointwise on each component of the chain. To prove that the operations 
are equivalences, we compose a proof that Arg commutes with chains (given by 
combining the lemmas about chains commuting with type formers) with a proof 
that for each sort, the chain given by the (E (S” O)) is equivalent to the chain 
given by (S” O) (given by Lemma 7). Since (E (S” ©)) is defined by pattern 
matching to reduce to Arg, the right and left sides of these equivalences agree, 
and we find that the operations are indeed nice. See the formalization for details. 


Theorem 2. There exists an inductive-inductive object (A, B,n, ext, inj) that 
satisfies the simple elimination rules as defined in Fig. 1. 


Proof. A nice goodness algebra exists by Lemma8, therefore we can construct 
(A, B,n, ext, inj) satisfying the simple elimination rules by Lemma6. 


We have therefore succeeded. In cubical type theory, the inductive-inductive 
definition from Fig. 1 is constructible. 


4 Related Work 


The principle of simultaneously defining a type and a family over that type 
has been used many times before. Danielsson [9] used an inductive-inductive- 
recursive definition to define the syntax of dependent type theory, and Chapman 
[5] used an inductive-inductive definition for the same purpose. Conway’s surreal 
numbers [7] are given (up to a defined equivalence relation) by the inductive- 
inductive definition of number and less than, where less than is a relation indexed 
by two numbers [15, §7.1]. The HoTT book §11.3 gives a definition of the Cauchy 
reals as a higher inductive-inductive definition [18]. 

In his thesis and previous papers [15-17], Nordvall Forsberg studies the gen- 
eral theory of inductive-inductive types, axiomatizing a limited class of such 
definitions, and giving a set theoretic model showing that they are consistent. 
He also considers various extensions such as allowing a third type indexed by 
the first two, allowing the second type to be indexed by two elements of the first, 
or combining inductive-inductive definitions with inductive-recursive definitions 
from Dybjer and Setzer [10]. 

There have been several attempts to define a general class of inductive- 
inductive types larger than that in Nordvall Forsberg’s thesis. Kaposi and Kovacs 
[14] gives an external syntactic description of a class which includes higher 
inductive-inductive types, and Altenkirch et al. [2] gives a semantic description 
of a class including quotient inductive-inductive types, but neither gives a type 
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of codes that can be reasoned about internally. Working with UIP, Altenkirch 
et al. [4] propose a class of quotient inductive-inductive types. 

Nordvall Forsberg’s thesis [15] appears to give the best previously known 
reduction of inductive-inductive types to regular inductive types known. As we 
have shown, Nordvall Forsberg’s approach can only be applied to intensional type 
theory if UIP holds. Furthermore, the equations for both Nordvall Forsberg’s 
approach and our approach only hold propositionally. 

Many other structures have been reduced to plain inductive types. Our con- 
struction of inductive-inductive types can be seen as an adaptation of the tech- 
nique in Ahrens et al. [1], where coinductive types are constructed from N by 
taking a limit. Indexed inductive types (which are used in Nordvall Forsberg’s 
construction) are constructed from plain inductive types in Altenkirch et al. [3], 
with good computational properties (provided an identity type that satisfies J 
strictly). And small induction-recursion is reduced to plain indexed inductive 
types in Hancock et al. [11]. 


5 Conclusions and Future Work 


In this paper, we have: 


1. Shown that the construction of inductive-inductive types given by Nordvall 
Forsberg implies UIP. 

2. Given an alternative construction of one particular inductive-inductive type 
in cubical type theory, which is compatible with Homotopy Type Theory. 


We claim that the construction of our specific running example is straight- 
forwardly generalizable to other inductive-inductive types, and have formalized 
the construction of a number of other examples including types with non-finitary 
constructors and indices to support this claim (see the GitHub repository refer- 
enced in the introduction). 

Going forward, we would like to investigate 


— An internal definition of inductive-inductive specifications in HoTT. Early 
experiments suggest that this requires surmounting difficulties related to 
increasingly complex coherence conditions similar to those encountered when 
defining semi-simplicial sets, c.f. Herbelin [12]. 

— Extending the proof given here to construct the general elimination rules. 
The general elimination rules were defined in Nordvall Forsberg [15], but 
that formulation they relies on either strict computation rules or extensional 
type theory to be well typed. Kaposi and Kovacs [14] give equivalent rules 
which are well typed in intensional type theory. 

— Identifying what needs to be added for the simple elimination rules to have 
the expected computational behavior. Given the similar construction method, 
this hopefully also allows the construction of coinductive types with nice 
computational behavior, c.f. Ahrens et al. [1]. 
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In the opposite direction from the previous point, rewriting the construction 
given here in Coq + Function Extensionality. While the elimination rules 
will have poor computational behavior, this would make using inductive- 
inductive types in Coq possible without requiring any change to Coq itself, 
while being compatible with HoTT. In particular, using cubical type theory 
makes the proofs in Sect. 3.5 simpler, but we speculate that axiomatic function 
extensionality is sufficient. 
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Abstract. Extracting causal relationships from observed correlations is 
a growing area in probabilistic reasoning, originating with the seminal 
work of Pearl and others from the early 1990s. This paper develops a 
new, categorically oriented view based on a clear distinction between 
syntax (string diagrams) and semantics (stochastic matrices), connected 
via interpretations as structure-preserving functors. 

A key notion in the identification of causal effects is that of an interven- 
tion, whereby a variable is forcefully set to a particular value independent 
of any prior dependencies. We represent the effect of such an intervention 
as an endofunctor which performs ‘string diagram surgery’ within the syn- 
tactic category of string diagrams. This diagram surgery in turn yields 
a new, interventional distribution via the interpretation functor. While 
in general there is no way to compute interventional distributions purely 
from observed data, we show that this is possible in certain special cases 
using a calculational tool called comb disintegration. 

We showcase this technique on a well-known example, predicting the 
causal effect of smoking on cancer in the presence of a confounding com- 
mon cause. We then conclude by showing that this technique provides 
simple sufficient conditions for computing interventions which apply to 
a wide variety of situations considered in the causal inference literature. 


Keywords: Causality - String diagrams - Probabilistic reasoning 


1 Introduction 


An important conceptual tool for distinguishing correlation from causation is 
the possibility of intervention. For example, a randomised drug trial attempts to 
destroy any confounding ‘common cause’ explanation for correlations between 
drug use and recovery by randomly assigning a patient to the control or treat- 
ment group, independent of any background factors. In an ideal setting, the 
observed correlations of such a trial will reflect genuine causal influence. Unfor- 
tunately, it is not always possible (or ethical) to ascertain causal effects by means 
of actual interventions. For instance, one is unlikely to get approval to run a clin- 
ical trial on whether smoking causes cancer by randomly assigning 50% of the 
© The Author(s) 2019 
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patients to smoke, and waiting a bit to see who gets cancer. However, in certain 
situations it is possible to predict the effect of such a hypothetical intervention 
from purely observational data. 

In this paper, we will focus on the problem of causal identifiability. For this 
problem, we are given observational data as a joint distribution on a set of 
variables and we are furthermore provided with a causal structure associated 
with those variables. This structure, which typically takes the form of a directed 
acyclic graph or some variation thereof, tells us which variables can in principle 
have a causal influence on others. The problem then becomes whether we can 
measure how strong those causal influences are, by means of computing an inter- 
ventional distribution. That is, can we ascertain what would have happened if 
a (hypothetical) intervention had occurred? 

Over the past 3 decades, a great deal of work has been done in identifying 
necessary and sufficient conditions for causal identifiability in various special 
cases, starting with very specific notions such as the back-door and _ front-door 
criteria [20] and progressing to more general necessary and sufficient conditions 
for causal identifiability based on the do-calculus [11], or combinatoric concepts 
such as confounded components in semi-Makovian models [25, 26]. 

This style of causal reasoning relies crucially on a delicate interplay between 
syntax and semantics, which is often not made explicit in the literature. The 
syntactic object of interest is the causal structure (e.g. a causal graph), which 
captures something about our understanding of the world, and the mechanisms 
which gave rise to some observed phenomena. The semantic object of interest is 
the data: joint and conditional probability distributions on some variables. Fixing 
a causal structure entails certain constraints on which probability distributions 
can arise, hence it is natural to see distributions satisfying those constraints as 
models of the syntax. 

In this paper, we make this interplay precise using functorial semantics in the 
spirit of Lawvere [17], and develop basic syntactic and semantic tools for causal 
reasoning in this setting. We take as our starting point a functorial presentation 
of Bayesian networks similar to the one appearing in [7]. The syntactic role is 
played by string diagrams, which give an intuitive way to represent morphisms of 
a monoidal category as boxes plugged together by wires. Given a directed acyclic 
graph (dag) G, we can form a free category Syn, whose arrows are (formal) 
string diagrams which represent the causal structure syntactically. Structure- 
preserving functors from Syn, to Stoch, the category of stochastic matrices, 
then correspond exactly to Bayesian networks based on the dag G. 

Within this framework, we develop the notion of intervention as an oper- 
ation of ‘string diagram surgery’. Intuitively, this cuts a string diagram at a 
certain variable, severing its link to the past. Formally, this is represented as 
an endofunctor on the syntactic category cut, : Syn, — Syng, which propagates 
through a model F: Syn, — Stoch to send observational probabilities F(w) to 
interventional probabilities F (cut, (w)). 

The cut, endofunctor gives us a diagrammatic means of computing interven- 
tional distributions given complete knowledge of F. However, more interestingly, 
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we can sometimes compute interventionals given only partial knowledge of F, 
namely some observational data. We show that this can also be done via a tech- 
nique we call comb disintegration, which is a string diagrammatic version of 
a technique called c-factorisation introduced by Tian and Pearl [26]. Our app- 
roach generalises disintegration, a calculational tool whereby a joint state on two 
variables is factored into a single-variable state and a channel, representing the 
marginal and conditional parts of the distribution, respectively. Disintegration 
has recently been formulated categorically in [5] and using string diagrams in [4]. 
We take the latter as a starting point, but instead consider a factorisation of a 
three-variable state into a channel and a comb. The latter is a special kind of map 
which allows inputs and outputs to be interleaved. They were originally studied 
in the context of quantum communication protocols, seen as games [8], but have 
recently been used extensively in the study of causally-ordered quantum [3,21] 
and generalised [15] processes. While originally imagined for quantum processes, 
the categorical formulation given in [15] makes sense in both the classical case 
(Stoch) and the quantum. Much like Tian and Pearl’s technique, comb factorisa- 
tion allows one to characterise when the confounding parts of a causal structure 
are suitably isolated from each other, then exploit that isolation to perform the 
concrete calculation of interventional distributions. 

However, unlike in the traditional formulation, the syntactic and semantic 
aspects of causal identifiability within our framework exactly mirror one-another. 
Namely, we can give conditions for causal identifiability in terms of factorisation a 
morphism in Syng, whereas the actual concrete computation of the interventional 
distribution involves factorisation of its interpretation in Stoch. Thanks to the 
functorial semantics, the former immediately implies the latter. 

To introduce the framework, we make use of a running example taken from 
Pearl’s book [20]: identifying the causal effect of smoking on cancer with the help 
of an auxiliary variable (the presence of tar in the lungs). After providing some 
preliminaries on stochastic matrices and the functorial presentation of Bayesian 
networks in Sects. 2 and 3, we introduce the smoking example in Sect. 4. In Sect. 5 
we formalise the notion of intervention as string diagram surgery, and in Sect. 6 
we introduce the combs and prove our main calculational result: the existence 
and uniqueness of comb factorisations. In Sect.7, we show how to apply this 
theorem in computing the interventional distribution in the smoking example, 
and in 8, we show how this theorem can be applied in a more general case which 
captures (and slightly generalises) the conditions given in [26]. In Sect.9, we 
conclude and describe several avenues of future work. 


2 Stochastic Matrices and Conditional Probabilities 


Symmetric monoidal categories (SMCs) give a very general setting for studying 
processes which can be composed in sequence (via the usual categorical composi- 
tion o) and in parallel (via the monoidal composition ®). Throughout this paper, 
we will use string diagram notation [24] for depicting composition of morphisms 
in an SMC. In this notation, morphisms are depicted as boxes with labelled input 
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and output wires, composition o as ‘plugging’ boxes together, and the monoidal 
product & as placing boxes side-by-side. Identity morphisms are depicted simply 
as a wire and the unit J of ® as the empty diagram. The ‘symmetric’ part of the 
structure consists of symmetry morphisms, which enable us to permute inputs 
and outputs arbitrarily. We depict these as wire-crossings: < Morphisms whose 
domain is J are called states, and they will play a special role throughout this 
paper. 

A monoidal category of prime interest in this paper is Stoch, whose objects 
are finite sets and morphisms f : A — B are |B| x |A| dimensional stochastic 
matrices. That is, they are matrices of positive numbers (including 0) whose 
columns each sum to 1: 


f={fleRt|ieAjeB} with SY, ff) =1, forall i. 


Note we adopt the physicists convention of writing row indices as superscripts 
and column indices as subscripts. Stochastic matrices are of interest for proba- 
bilistic reasoning, because they exactly capture the data of a conditional prob- 
ability distribution. That is, if we take A := {1,...,m} and B := {1,... n}, 
conditional probabilities naturally arrange themselves into a stochastic matrix: 
P(B=1|A=1)-:- P(B =1|A= m) 

fi := P(B =j|A=i) ~ f= : 7 
P(B=n\|A=1)--: P(B=n|A=m) 

States, i.e. stochastic matrices from a trivial input J := {x}, are (non- 
conditional) probability distributions, represented as column vectors. There is 
only one stochastic matrix with trivial output: the row vector consisting only of 
1’s. The latter, with notation ? as on the right, will play a special role in this 
paper (see (1) below). 

Composition of stochastic matrices is matrix multiplication. In terms of con- 
ditional probabilities, that is multiplication followed by marginalization over the 
shared variable: ` p P(C|B)P(B|A). Identities are thus given by identity matri- 
ces, which we will often express in terms of the Kronecker delta function ôl i 

The monoidal product ® in Stoch is the cartesian product on objects, and 
Kronecker product of matrices: (f ® ae = fFgi. We will typically omit 
parentheses and commas in the indices, writing e.g. hkl instead of h 
arbitrary matrix entry of h: A & B + C & D. In terms of conditional probabil- 
ities, the Kronecker product corresponds to taking product distributions. That 
is, if f represents the conditional probabilities P(B|A) and g the probabilities 
P(D|C), then f &g represents P(B|A)P(D|C). Stoch also comes with a natural 
choice of ‘swap’ matrices 0 : A&B — B8 A given by a}! = 6107, making it into 
asymmetric monoidal category. Every object A in Stoch has three other pieces 
of structure which will play a key role in our formulation of Bayesian networks 
and interventions: the copy map, the discarding map, and the uniform state: 


(Y) eh (M1 (Wa 


a 


it) for an 
i) 
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Abstractly, this provides Stoch with the structure of a CDU category. 


Definition 2.1. A CDU category (for copy, discard, uniform) is a symmetric 
monoidal category (C,®,I) where each object A has a copy map y :A— AQA, 
a discarding map ? : A — I, and a uniform state Vv : I — A satisfying the 
following equations: 


TVA y BY pie 


CDU functors are symmetric monoidal functors between CDU categories pre- 
serving copy maps, discard maps and uniform states. 


We assume that the CDU structure on I is trivial and the CDU structure 
on A® B is constructed in the obvious way from the structure on A and B. We 
also use the first equation in (2) to justify writing ‘copy’ maps with arbitrarily 
many output wires: y 

Similar to [2], we can form the free CDU category FreeCDU(X, X) over a 
pair (X, X) of a generating set of objects X and a generating set X of typed 
morphisms f: u —> w, with u,w € X* as follows. The category FreeCDU(X, X) 
has X* as set of objects, and morphisms the string diagrams constructed from 
the elements of X and maps ¥: x > + @a, t: x— I and ẹ: I — z for each 
x € X, taken modulo the equations (2). 


Lemma 2.2. Stoch is a CDU category, with CDU structure defined as in (1). 


An important feature of Stoch is that I = {x} 


is the final object, with ?: B — I the map pro- ie 

vided by the universal property, for any set B. 

This yields Eq. (3) on the right, for any f: A > : fs (3) 
B, justifying the name “discarding map” for ?. A 


We conclude by recording another significant feature of Stoch: disintegra- 
tion [4,5]. In probability theory, this is the mechanism of factoring a joint prob- 
ability distribution P(AB) as a product of the first marginal P(A) and a condi- 
tional distribution P(B|A). We recall from [4] the string diagrammatic rendition 
of this process. We say that a morphism f: X — Y in Stoch has full support if, 
as a stochastic matrix, it has no zero entries. When f is a state, it is a standard 
result that full support ensures uniqueness of disintegrations of f. 


Proposition 2.3 (Disintegration). For any state w: I > AQ B with full 
support, there exists unique morphisms a: I + A,b: A — B such that: 

A lp 
ee b 
ol = (4) 
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Note that Eq. (3) and the CDU rules immediately imply that the unique a: I > 
A in Proposition 2.3 is the marginal of w onto A: Alp 


3 Bayesian Networks as String Diagrams 


Bayesian networks are a widely-used tool in probabilistic reasoning. They give 
a succinct representation of conditional (in)dependences between variables as a 
directed acyclic graph. Traditionally, a Bayesian network on a set of variables 
A, B,C,... is defined as a directed acyclic graph (dag) G, an assignment of sets to 
each of the nodes Vg := {A, B,C,...} of G and a joint probability distribution 
over those variables which factorises as P(Vc) = [[,cy, P(A| Pa(A)) where 
Pa(A) is the set of parents of A in G. Any joint distribution that factorises 
this way is said to satisfy the global Markov property with respect to the dag 
G. Alternatively, a Bayesian network can be seen as a dag equipped with a set 
of conditional probabilities {P(A|Pa(A)) | A € Vo} which can be combined 
to form the joint state. Thanks to disintegration, these two perspectives are 
equivalent. 

Much like in the case of disintegration in the previous section, Bayesian net- 
works have a neat categorical description as string diagrams in the category 
Stoch [7,13, 14]. For example, here is a Bayesian network in its traditional depic- 
tion as a dag with an associated joint distribution over its vertices, and as a 
string diagram in Stoch: 


A E A |B |C D |E 
A NZ Lb 
B D 
“7 


P(ABCDE) = 
P(A)P(B|A)P(D|A)P(C|BD)P(E|D) a 


In the string diagram above, the stochastic matrix a: J — A contains the 
probabilities P(A), b: B — A contains the conditional probabilities P(B|A), 
c: B® D—C contains P(C|BD), and so on. The entire diagram is then equal 
to a state w: [> AQ BQC 8 DQ E which represents P(ABCDE). 

Note the dag and the diagram above look similar in structure. The main 
difference is the use of copy maps to make each variable (even those that are 
not leaves of the dag, A, B and D) an output of the overall diagram. This 
corresponds to a variable being observed. We can also consider Bayesian net- 
works with latent variables, which do not appear in the joint distribution due to 
marginalisation. Continuing the example above, making A into a latent variable 
yields the following depiction as a string diagram: 
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B e D |E 


C E 
ZNZ LUG 
B D 


P(BCDE) = A 
)P 


dia P(A)P(BIA)P(D|A)P(C|BD) P(E|D) a 


In general, a Bayesian network (with possible latent variables), is a string 
diagram in Stoch that (1) only has outputs and (2) consists only of copy maps 
and boxes which each have exactly one output. 

By ‘a string diagram in Stoch’, we mean not only the stochastic matrix itself, 
but also its decomposition into components. We can formalise exactly what we 
mean by taking a perspective on Bayesian networks which draws inspiration 
from Lawvere’s functorial semantics of algebraic theories [16]. In this perspective, 
which elaborates on [7, Ch. 4], we maintain a conceptual distinction between the 
purely syntactic object (the diagram) and its probabilistic interpretation. 

Starting from a dag G = (Va, Ea), we construct a free CDU category Syn, 
which provides the syntax of causal structures labelled by G. The objects of 
Syn, are generated by the vertices of G, whereas the morphisms are generated 
by the following signature: 


\4 
Xe = a A E€ Vg with parents B1,..., Bk E€ Va 
lB; TB, 


Then Syn, := FreeCDU(Vc, Yc). The following result establishes that models 
(à la Lawvere) of Syn, coincide with G-based Bayesian networks. 


Proposition 3.1. There is a 1-1 correspondence between Bayesian networks 
based on the dag G and CDU functors of type Syn, — Stoch. 


We refer to [12] for a proof. This proposition justifies the following definition 
of a category BN, of G-based Bayesian networks: objects are CDU functors 
Syn, — Stoch and arrows are monoidal natural transformations between them. 


4 Towards Causal Inference: The Smoking Scenario 


We will motivate our approach to causal inference via a classic example, inspired 
by the one given in the Pearl’s book [20]. Imagine a dispute between a scientist 
and a tobacco company. The scientist claims that smoking causes cancer. As 
a source of evidence, the scientist cites a joint probability distribution w over 
variables S for smoking and C for cancer, which disintegrates as in (5) below, 


1 Note that Eg is implicitly used in the construction of Syng: the edges of G determine 
the parents of a vertex, and hence the input types of the symbols in Xa. 
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with matrix c = ( 9:9 8-2). Inspecting this c : S — C, the scientist notes that the 


probability of getting cancer for smokers (0.3) is three times as high as for non- 
smokers (0.1). Hence, the scientist claims that smoking has a significant causal 
effect on cancer. 

An important thing to stress here is that the 
scientist draws this conclusion using not only the 
observational data w but also from an assumed sje 7 
causal structure which gave rise to that data, w | = (5) 
as captured in the diagram in Eq. (5). That is, 
rather than treating diagram (5) simply as a cal- 
culation on the observational data, it can also be 
treated as an assumption about the actual, physical mechanism that gave rise 
to that data. Namely, this diagram encompasses the assumption that there is 
some prior propensity for people to smoke captured by s : I — S, which is both 
observed and fed into some other process c : S — C whereby an individuals 
choice to smoke determines whether or not they get cancer. 

The tobacco company, in turn, says that the 


U 
IQ 


scientists’ assumptions about the provenance of s le 

this data are too strong. While they concede that z 

in principle it is possible for smoking to have ele 

some influence on cancer, the scientist should w | 3 H (6) 


allow for the possibility that there is some latent 
common cause (e.g. genetic conditions, stressful 
work environment, etc.) which leads people both 
to smoke and get cancer. Hence, says the tobacco company, a ‘more honest’ 
causal structure to ascribe to the data w is (6). This structure then allows for 
either party to be correct. If the scientist is right, the output of c: S & H —> C 
depends mostly on its first input, i.e. the causal path from smoking to cancer. 
If the tabacco company is right, then c depends very little on its first input, 
and the correlation between S and C can be explained almost entirely from the 
hidden common cause. 

So, who is right after all? Just from the observed distribution w, it is impos- 
sible to tell. So, the scientist proposes a clinical trial, in which patients are 
randomly required to smoke or not to smoke. We can model this situation by 
replacing s in (6) with a process that ignores its inputs and outputs the uniform 
state. Graphically, this looks like ‘cutting’ the link s between H and S: 


h 


s |c s |c 


c c 
RIS iak 
w = H e H = w (7) 


h h 


This captures the fact that variable S' is now randomised and no longer depen- 
dent on any background factors. This new distribution w’ represents the data 
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the scientist would have obtained had they run the trial. That is, it gives the 
results of an intervention at s. If this w’ still shows a strong correlation between 
smoking and cancer, one can conclude that smoking indeed causes cancer even 
when we assume the weaker causal structure (6). 

Unsurprisingly, the scientist fails to get ethical approval to run the trial, and 
hence has only the observational data w to work with. Given that the scientist 
only knows w (and not c and h), there is no way to compute w’ in this case. 
However, a key insight of statistical causal inference is that sometimes it is possi- 
ble to compute interventional distributions from observational ones. Continuing 
the smoking example, suppose the scientist proposes the following revision to 
the causal structure: they posit a structure (8) that includes a third observed 
variable (the presence of T of tar in the lungs), which completely mediates the 
causal effect of smoking on cancer. 

As with our simpler structure, the 


diagram (8) contains some assumptions as 

about the provenance of the data w. 

In particular, by omitting wires, we are Is [r e 

asserting there is no direct causal link t 

between certain variables. The absence of = E H (8) 


an H-labelled input to t says there is no 6 
direct causal link from H to T (only medi- 
ated by S), and the absence of an S- 
labelled input wire into c captures that 
there is no direct causal link from S to C (only mediated by T). In the tradi- 
tional approach to causal inference, such relationships are typically captured by 
a graph-theoretic property called d-separation on the dag associated with the 
causal structure. 

We can again imagine intervening at S by replacing s : H — S by $ o ?. 
Again, this ‘cutting’ of the diagram will result in a new interventional distribu- 
tion w’. However, unike before, it is possible to compute this distribution from 
the observational distribution w. 

However, in order to do that, we first need to develop the appropriate cate- 
gorical framework. In Sect. 5, we will model ‘cutting’ as a functor. In 6, we will 
introduce a generalisation of disintegration, which we call comb disintegration. 
These tools will enable us to compute w’ for w, in Sect. 7. 


h 


5 Interventional Distributions as Diagram Surgery 


The goal of this section is to define the ‘cut’ operation in (7) as an endofunctor 
on the category of Bayesian networks. First, we observe that such an operation 
exclusively concerns the string diagram part of a Bayesian network: following 
the functorial semantics given in Sect. 3, it is thus appropriate to define cut as 
an endofunctor on Syng, for a given dag G. 
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Definition 5.1. For a fized node A € Vg in a graph G, let cut,: Syn, — Syng 

be the CDU functor freely obtained by the following action on the generators 

(Va, Xa) of Syna: 

- For each object B € Va, cuta (B) 
ee y 2 |? 

— cuty([ a ]) and cuta([» |) =>] for any other» ] E€ Xe. 


ele, tacts ale, Tae lao, 


© | 
Es 


Intuitively, cut, applied to a string diagram f of Syn, removes from f each 
occurrence of a box with output wire of type A. 

Proposition 3.1 allows us to “transport” the cutting operation over to 
Bayesian networks. Given any Bayesian network based on G, let F: Syng > 
Stoch be the corresponding CDU functor given by Proposition3.1. Then, we 
can define its A-cutting as the Bayesian network identified by the CDU functor 
F ocut,. This yields an (idempotent) endofunctor Cut,: BN, > BNg. 


6 The Comb Factorisation 


Thanks to the developments of Sect.5, we can understand the transition from 
left to right in (7) as the application of the functor Cuts applied to the ‘Smoking’ 
node S. The next step is being able to actually compute the individual Stoch- 
morphisms appearing in (8), to give an answer to the causality question. 

In order to do that, we want to work in a 
setting where t: S — T can be isolated and 
‘extracted’ from (8). What is left behind is a aw = | = A 
stochastic matrix with a ‘hole’ where t has been 
extracted. To define ‘morphisms with holes’, it is convenient to pass from SMCs 
to compact closed categories (see e.g. [24]). Stoch is not itself compact closed, 
but it embeds into Mat(R*), whose morphisms are all matrices over positive 
numbers. Mat(IRt) has a (self-dual) compact closed structure; that means, for 
any set A there is a ‘cap’ N: AQ A — I and a ‘cup’ U: I > AQ A, which satisfy 
the ‘yanking’ equations on the right. As matrices, caps and cups are defined by 
Nij = UY = 61. Intuitively, they amount to ‘bent’ identity wires. Another aspect 
of Mat(R*) that is useful to recall is the following handy characterisation of the 
subcategory Stoch. 


Lemma 6.1. A morphism f: A — B in Mat(R*) is a stochastic matrix (thus 
a morphism of Stoch) if and only if (3) holds. 


A suitable notion of ‘stochastic map with a hole’ is provided by a comb. These 
structures originate in the study of certain kinds of quantum channels [3]. 


Definition 6.2. A 2-comb in Stoch is a morphism f: A, ® Az — Bı ® Bo 
satisfying, for some other morphism f': A, > By, 


B| fB Bı 
f = |r ] (9) 
Aj A2 Al A2 
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This definition extends inductively to n-combs, where we require that dis- 
carding the rightmost output yields f’ @ ?, for some (n —1)-comb f’. However, 
for our purposes, restricting to 2-combs will suffice. 

The intuition behind condition (9) is that the contribution from input Ag is 
only visible via output Bz. Thus, if we discard Bz we may as well discard Ag. In 
other words, the input/output pair A2, B2 happen ‘after’ the pair A1, B1. Hence, 
it is typical to depict 2-combs in the shape of a (hair) comb, with 2 ‘teeth’, as 
in (10) below: 


B2) B 
Bg 
Bı B2 Aol Ag 
A2 
A, A2 Bı) Bı 
Bı 
f 
A! ee Ai| A2 


While combs themselves live in Stoch, Mat(R+) accommodates a second-order 
reading of the transition ~ in (10): we can treat f as a map which expects as 
input a map g: Bı — Ag and produces as output a map of type Ay > Bə. 
Plugging g: Bı — Ag into the 2-comb can be formally defined in Mat(R*) by 
composing f and g in the usual way, then feeding the output of g into the second 
input of f, using caps and cups, as in (11). 

Importantly, for generic f and g of Stoch, there is no guarantee that form- 
ing the composite (11) in Mat(R*) yields a valid Stoch-morphism, i.e. a mor- 
phism satisfying the finality Eq. (3). However, if f is a 2-comb and g is a Stoch- 
morphism, Eq. (9) enables a discarding map plugged into the output B in (11) 
to ‘fall through’ the right side of f, which guarantees that the composed map 
satisfies the finality equation for discarding. See [12, § ??] for the explicit diagram 
calculation. 

With the concept of 2-combs in hand, we can state our factorisation result. 


Theorem 6.3. For any state w: I > A® BQC of Stoch with full support, 
there exists a unique 2-comb f : B + AQC and stochastic matriz g: A —> B 
such that, in Mat(R*): 


- (12) 


Proof. The construction of f and g mimics the one of c-factors in [26], using 
string diagrams and (diagrammatic) disintegration. We first use w to construct 
maps a : I — A,b: A> B, c: AQ B — C, then construct f using a and c 
and construct g using b. For the full proof, including uniqueness, see [12]. 


Note that Theorem 6.3 generalises the normal disintegration property given 
in Proposition 2.3. The latter is recovered by taking A := I (or C := I) above. 
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7 Returning to the Smoking Scenario 


We now return to the smoking sce- 
nario of Sect. 4. There, we concluded 
by claiming that the introduction of 
an intermediate variable T to the 
observational distribution w : I — 
SQT QC would enable us to calculate | s f le 
the interventional distribution. That 
is, we can calculate w = F(cuts(w)) 
from w := F(w). Thanks to Theorem 
6.3, we are now able to perform that 
calculation. We first observe that our 
assumed causal structure for w fits 
the form of Theorem 6.3, where g is 
t and f is a 2-comb containing every- 
thing else, as in the diagram on the 
side. 

Hence, f and g are computable from w. If we plug them back together as in 
(12), we will get w back. However, if we insert a ‘cut’ between f and g: 


‘IE 
t t 
Fi = i el (13) 
y y 
f 5 $ 
R ‘ae 
h h 


we obtain w = F(cut,(w)). 
We now consider a concrete example. Fix interpretations S = T = C = {0,1} 
and let w: I — S&T & C be the stochastic matrix: 


0.5 += P(S=0,T=0,C =0 

0.1 — P(S =0,T =0,C =1) 

0.01 | = P(S=0,T =1,C =0) 

te 0.02 «+ P(S =0,T =1,C = 1) 
0.1 | =- P(S=1,T =0,C =0) 
0.05 | =- P(S=1,T=0,C=1 

0.02] —P(S=1,7=1,C =0) 

0.2 = P(S=1,7=1,C=1 
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Now, disintegrating w: 


Is fje c wes am (081 0.32 
w = 8 ~ (0.19 0.68 


s 


The bottom-left element of c is P(C = 1|S = 0), whereas the bottom-right 
is P(C = 1|S = 1), so this suggests that patients are ~3.5 times as likely to 
get cancer if they smoke (68% vs. 19%). However, comb-disintegrating w using 
Theorem6.3 gives g: S — T and a comb f: T — S ®C with the following 
stochastic matrices: 


0.53 0.21 
_ | 0.11 0.42 _ (0.95 0.41 
FS | 0.25 0.03 aad Ge oy 

0.12 0.34 


Recomposing these with a ‘cut’ in between, as in the left-hand side of (13), gives 
the interventional distribution w’ ~ (0.38, 0.11, 0.01, 0.02, 0.16, 0.05, 0.07, 0.22). 
Disintegrating: 


s |c 
Is fje c wes d n (O75 0.46 
a 2 ~\0.25 0.54) ` 


s! 


From the interventional distribution, we conclude that, in a (hypothotetical) 
clinical trial, patients are about twice as likely to get cancer if they smoke (54% 
vs. 25%). So, since 54 < 68, there was some confounding influence between S 
and C in our observational data, but after removing it via comb disintegration, 
we see there is still a significant causal link between smoking and cancer. 

Note this conclusion depends totally on the particular observational data 
that we picked. For a different interpretation of w in Stoch, one might conclude 
that there is no causal connection, or even that smoking decreases the chance of 
getting cancer. Interestingly, all three cases can arise even when a naïve analysis 
of the data shows a strong direct correlation between S and C. To see and/or 
experiment with these cases, we have provided the Python code? used to perform 
these calculations. See also [19] for a pedagocical overview of this example (using 
traditional Bayesian network language) with some sample calculations. 


8 The General Case for a Single Intervention 


While we applied the comb decomposition to a particular example, this technique 
applies essentially unmodified to many examples where we intervene at a single 
variable (called X below) within an arbitrary causal structure. 


? https: //gist.github.com/akissinger /aeec1751792a208253bda491ead587b6. 
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Theorem 8.1. Let G be a dag with a fixed node X that has corresponding gen- 
erator x: Yı ®...@Y, — X in Syn,. Then, suppose w is a morphism in Syng 
of the following form: 


w = g (14) 


fi 


for some morphisms fı, f2 and g in Syng not containing x as a subdiagram. 
Then the interventional distribution w := F(cutx(w)) is computable from the 
observational distribution w = F(w). 


Proof. The proof is very close to the example in the previous section. Interpret- 
ing w into Stoch, we get a diagram of stochastic maps, which we can comb- 
disintegrate, then recompose with y o ? to produce the interventional distri- 
bution: 


4 


3 
PiE 


The RHS above is then F(cutx(w)). 


This is general enough to cover several well-known sufficient conditions from 
the causality literature, including single-variable versions of the so-called front- 
door and back-door criteria, as well as the sufficient condition based on confound- 
ing paths given by Pearl and Tian [26]. As the latter subsumes the other two, we 
will say a few words about the relationship between the Pearl/Tian condition 
and Theorem 8.1. In [26], the authors focus on semi-Markovian models, where 
the only latent variables have exactly two observed children and no parents. 
Suppose we write A + B if two observed variables are connected by a latent 
common cause, then one can characterise confounding paths as the transitive clo- 
sure of >. They go on to show that the interventional distribution corresponding 
cutting X is computable whenever there are no confounding paths connecting 
X to one of its children. 


Causal Inference by String Diagram Surgery 327 


We can compare this to the form of expression w in Eq. (14). First, note this 
factorisation implies that all boxes which take X as an input must occur as sub- 
diagrams of g. Hence, any ‘confounding path’ connecting X to its children would 
yield at least one (un-copied) wire from fı to g, hence it cannot be factored as 
(14). Conversely, if there are no confounding paths from X to its children, then 
we can we can place the boxes involved in any other confounding path either 
entirely inside of g or entirely outside of g and obtain factorisation (14). Hence, 
restricting to semi-Markovian models, the no- confounding-path condition from 
[26] is equivalent to ours. However, Theorem8.1 is slightly more general: its 
formulation doesn’t rely on the causal structure w being semi-Markovian. 


9 Conclusion and Future Work 


This paper takes a fresh, systematic look at the problem of causal identifiability. 
By clearly distinguishing syntax (string diagram surgery and identification of 
comb shapes) and semantics (comb-disintegration of joint states) we obtain a 
clear methodology for computing interventional distributions, and hence causal 
effects, from observational data. 

A natural next step is moving beyond single-variable interventions to the gen- 
eral case, i.e. situations where we allow interventions on multiple variables which 
may have some arbitrary causal relationships connecting them. This would mean 
extending the comb factorisation Theorem 6.3 from a 2-comb and a channel to 
arbitrary n-combs. This seems to be straightforward, via an inductive exten- 
sion of the proof of Theorem 6.3. A more substantial direction of future work 
will be the strengthening of Theorem 8.1 from sufficient conditions for causal 
identifiability to a full characterisation. Indeed, the related condition based on 
confounding paths from [26] is a necessary and sufficient condition for computing 
the interventional distribution on a single variable. Hence, it will be interesting 
to formalise this necessity proof (and more general versions, e.g. {10]) within our 
framework and investigate, for example, the extent to which it holds beyond the 
semi-Markovian case. 

While we focus exclusively on the case of taking models in Stoch in this paper, 
the techniques we gave are posed at an abstract level in terms of composition 
and factorisation. Hence, we are optimistic about their prospects to generalise to 
other probabilistic (e.g. infinite discrete and continuous variables) and quantum 
settings. In the latter case, this could provide insights into the emerging field 
of quantum causal structures [6,9,18,22,23], which attempts in part to replay 
some of the results coming from statistical causal reasoning, but where quantum 
processes play a role analogous to stochastic ones. A key difficulty in applying 
our framework to a category of quantum processes, rather than Stoch, is the 
unavailability of ‘copy’ morphisms due to the quantum no-cloning theorem [27]. 
However, a recent proposal for the formulation of ‘quantum common causes’ [1] 
suggests a (partially-defined) analogue to the role played by ‘copy’ in our for- 
mulation constructed via multiplication of certain commuting Choi matrices. 
Hence, it may yet be possible to import results from classical causal reasoning 
into the quantum case just by changing the category of models. 
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Abstract. Linear Logic was introduced as the computational counter- 
part of the algebraic notion of linearity. Differential Linear Logic refines 
Linear Logic with a proof-theoretical interpretation of the geometrical 
process of differentiation. In this article, we construct a polarized model 
of Differential Linear Logic satisfying computational constraints such as 
an interpretation for higher-order functions, as well as constraints inher- 
ited from physics such as a continuous interpretation for spaces. This 
extends what was done previously by Kerjean for first order Differential 
Linear Logic without promotion. Concretely, we follow the previous idea 
of interpreting the exponential of Differential Linear Logic as a space of 
higher-order distributions with compact-support, which is constructed 
as an inductive limit of spaces of distributions on Euclidean spaces. We 
prove that this exponential is endowed with a co-monadic like structure, 
with the notable exception that it is functorial only on isomorphisms. 
Interestingly, as previously argued by Ehrhard, this still allows the inter- 
pretation of differential linear logic without promotion. 


Keywords: Differential Linear Logic - Categorical semantics - 
Topological vector spaces 


1 Introduction 


Denotational semantics interprets programs as functions which focuses not 
on how data from these programs are computed, but rather focusing on the 
input/output of programs and on data computed from other data [19]. Through 
the Curry-Howard-Lambek correspondence, this approach refines into the cat- 
egorical semantics of type systems. In particular, a study of the denotational 
model of the A-calculus for coherent spaces led Girard to Linear Logic [9] and 
the understanding of the use of resources as the computational counterpart of 
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linearity in algebra. Differential Linear Logic (DiLL) [7] is a refinement of Linear 
Logic which allows for a notion of linear approximation of non-linear proofs. As 
a proof-net calculus, DiLL originated from studying vectorial models of Linear 
Logic which in general are based on spaces of sequences, such as Köthe spaces 
and finiteness spaces [5]. 

Recently the first author argued in [14] that as a sequent calculus DiLL has a 
“smooth” semantical interpretation where the exponential ! (the central object 
of Linear Logic) is interpreted as a space of distributions with compact sup- 
port [18]. This semantical interpretation of DiLL (along with the Linear Logic 
typed phenomena of duality and interaction) provides a strong argument that 
DiLL should be considered as a foundation for a type theory of differential equa- 
tions, whose semantics would be based on structures developed for mathematical 
physics. However one of the many divergences between the theoretical study of 
physical systems and the theoretical study of programming languages lies in 
the treatment of input data. In the study of differential equations, one gener- 
ally only accepts a finite number of parameters: typically time and space [1]. 
While one of the fundamental aspects of the semantics of functional program- 
ming languages is the concept of higher-order types [4], which in particular 
allows programs to take other programs as inputs. Linking these two concepts 
together requires that when mathematical physics studies functions with finite 
dimensional domains, the denotational semantical counterpart will be studying 
functions whose codomains are spaces of functions (which are in general far from 
being finite dimensional). 

This article gives a higher-order notion of distributions with compact support, 
following the model without higher order constructed by the first author in [14]. 
Indeed, only functions whose domains are finite dimensional were defined in 
[14], while no interpretation was given for functions whose domains are spaces of 
smooth functions. This latter notion relies on the basic intuition that even with 
a continuous and infinite set of input data, a program will at each computation 
use only a finite amount of data. 


Content and Related Work. In this paper, we interpret the exponential as 
an inductive limit of spaces of distributions with compact support (Definition 7). 
Non-linear proofs are thus interpreted as elements of a projective limit of spaces of 
smooth functions. In [3], Blute, Cockett, and Seely construct a general interpreta- 
tion of an exponential as a projective limit of more basic spaces. In [13], Krieg] and 
Michor construct the free C%-ring over a set X (thus a space of smooth functions) 
as a projective limit of spaces of smooth functions between Euclidean spaces. Our 
work thus differs on the fact that we reverse the use of projective and inductive 
limits for defining the exponential and that we use a finer indexation than the 
indexation used in [3,13]. The reverse use of limits compared to the literature is 
motivated by the fact that we are cautious about polarities [16], while the finer 
indexing is for topological considerations. Indeed, we need to carefully consider 
the functoriality of the exponential and the topology on the objects. 
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Context. Differential Linear Logic (DiLL) is a sequent calculus enriching Lin- 
ear Logic (LL) with the possibility of linearizing proofs. This linearization is 
semantically understood as the differentiation at 0. Motivated by the need to 
explore the similarities between the differential structures inherited from logic 
and those inherited from physics, one would like to interpret formulas of DiLL 
by general topological vector spaces and non-linear proofs by smooth functions. 
The interpretation of the involutive linear negation of DiLL leads to the require- 
ment of reflexive topological vector spaces, that is, topological vector spaces 
E such that L(L(E,R), R) ~ E, otherwise expressed as E” ~ E. In [14], the 
first author argued that in a classical smooth-linear setting, the exponential ! 
should be interpreted as a space of distributions with compact support [18], that 
is, !E := C®(E,R)’. The first author also showed that this defines a strong 
monoidal functor ! from the category of Euclidean vector spaces to the category 
of reflexive locally convex and Hausdorff vector spaces. As reflexive spaces typi- 
cally do not form a x-autonomous category (or even a monoidal closed category), 
in [14] the first author constructs a polarized model of DiLL structured as chi- 
rality [17]. This polarized structure is also necessary here. In Sect.5, formulas 
of DiLLo are interpreted in two different categories, depending on whether they 
interpret a positive or a negative formula. 


Main Content. In this paper we construct an interpretation for the exponen- 
tial ! (Definition 10) which is strong monoidal (Theorem 3). The exponential 
constructed in this paper is a generalization of the compact-support exponential 
from [14]. Explicitly, for a reflexive space E, the exponential !F is defined as 
the inductive limit of spaces C” (R”, R}, indexed by linear continuous functions 
f :R” — E (Definition 7), 


IE := lim c*(R”, RY. 
pRB 


We also consider the “why not” connective ? (Definition 9) where for a reflex- 
ive space E, ?E is interpreted as the space of smooth scalar functions on F, 
C®(E,R). Explicitly, being the dual of !E, ?E is the projective limit of spaces 
C*(IR”, IR), indexed by the injective linear continuous functions f : R” — F’ 
(Proposition 4), 


?E:= lim c™(R",R). 
fi” 0B! 


An important drawback of this work is that the functoriality of ! is ensured 
only on isomorphisms, that is, ! is an endofunctor on the category REFLiso of 
reflexive spaces and isomorphisms between them. We use a technique developed 
by Ehrhard in [6] to show that this still provides a model of finitary Differential 
linear logic (DiLLo), that is, DiLL without the promotion rule. We also discuss 
how this construction also leads to a polarized model of DiLLg (Sect. 5). 


Organization of the Paper. Section2 gives an overview of the development 
in DiLL which led to this paper and gives some background in functional anal- 
ysis. In Sect.3 we discuss higher-order functions and distributions, and prove 
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strong monoidality. Section 4 provides the interpretation of the dereliction and 
codereliction and the bialgebraic structure of the exponential. Finally in Sect. 5 
we discuss the polarized interpretation of formulas. 


Notation. In this article, we borrow notation from Linear Logic. In particular, 
we use —o to distinguish between linear functions and non-linear ones, for exam- 
ple, f : E — F would be linear continuous while g : E —> F would only be 
smooth. We also denote elements of ! and ?E, which are index by linear con- 
tinuous injective indexes f : R” — E, in bold with their indexing in subscript: 


2 Preliminaries 


2.1 Differential Linear Logic and Its Semantics 


Linear Logic [9] refines Intuitionistic Logic with a linear negation, (—)+, and a 
notion of linearity of proofs, —o. More precisely, Linear Logic introduces the fun- 
damental isomorphism between A => B, proofs of B from A, and !A — B, linear 
proofs of B from !A the exponential of A. In particular, Linear Logic features a 
dereliction rule d, which allows one to consider linear proofs as particular cases 
of non-linear proofs: 


ADEE d 
(Ayer 
Differential Linear Logic (DiLL) brings a notion differentiation to the picture 
by introducing a codereliction rule d. By cut-elimination, the codereliction rule 
allows one to linearize a non-linear proof: 


KPA _ 
Fria @ 


In Linear Logic, the exponential group also features weakening and contrac- 
tion rules. While DiLL adds co-weakening and co-contraction rules, which in 
the context of this paper correspond respectively as integration and convolu- 
tion (see [15] for more details). DiLL without promotion, or finitary Differential 
Linear Logic, is denoted DiLLo and is the original version of Differential Linear 
Logic by Ehrhard and Regnier [7]. Its exponential rules for {?,!} can be found 
in Fig. 1. The other rules of DiLLo correspond to the usual ones for the MALL 
group {®, 7,@, x}. Non-finitary DiLL can be constructed by adding the promo- 
tion rule to DiLLo, which in particular requires functoriality of the exponential. 
Cut-elimination in DiLL and DiLLo generates sums of proofs [7], and therefore 
the categorical interpretation of proofs must be done in a category enriched over 
commutative monoids. 
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=e L 2B, 2E EDE 
-T,?E ETE E T?E 
er HDE HA! _ -PE | 
-TE ETA, E e ETIE ¢@ 


Fig. 1. Exponential rules of DiLLo 


Following Fiore’s definition in [8], a categorical model of DiLL is an exten- 
sion of Seely’s axiomatization of categorical models of Linear Logic [20]. Explic- 
itly a model of DiLL consists of a x-autonomous category (£,®,1,(_)*) with a 
finite biproduct structure x with zero object 0, a strong monoidal comonad 
! : (£,x,0) — (£,9,1), and a natural transformation d : idg => !, called 
the codereliction operator, which interprets differentiation at zero. A particu- 
lar important coherence for the codereliction is that composing the co-unit of 
the co-monad d:! > idg with d results in the identity (the top left triangle of 
Definition 1). Intuitively, this means that differentiating a linear map results in 
the same linear map. 


Working Without Promotion. The special particularity of our work is that 
we do not interpret promotion and thus only obtain a denotational model of 
DiLLo but not of DiLL. The main reason for this is that in the formula 


E'(E):= lim &;(R"), 
fR” E 

injectivity of the indexes f : R” — E is needed to have a well-defined order 
to properly define an inductive limit (Definition 6). Therefore the exponential 
constructed in this paper cannot be functorial with respect to every linear con- 
tinuous morphism in TOPVEC. In the construction of the exponential, one needs 
to compose injective indexes f with maps £ of the category (resp. their dual ¢’), 
and these composition Zo f (resp. ¢’ o g) are required to again be injective. As 
shown by Treves [21, Chapter 23.2], ¢’ is injective if and only if £ has a dense 
image. Therefore we have no choice but to ask for isomorphisms and thus we 
obtain an endofunctor on REFL;so, the category of reflexive spaces and linear 
continuous isomorphisms between them. 

Models of DiLLo in which promotion is not necessarily interpreted were stud- 
ied by Ehrhard in his survey on Differential Linear Logic [6]. He introduces 
exponential structures which provides a categorical setting which differs from 
the traditional axiomatization of Seely’s models. 


Definition 1 /6, Section 2.5]. Let L be pre-additive *-autonomous category (i.e. 
a commutative monoid enriched *-autonomous category [6, Sect. 2.4]) and let 
Liso be the wide subcategory of L with only isomorphisms as morphisms. An 
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exponential structure on a L is as tuple (!,w,c,w,é,d,d) consisting of an 
endofunctor ! : Liso —> Liso, and families of morphisms of L (not necessarily of 
Liso) indexed by the objects of £: 


wa:!A—>1 ca: !A—+!A@!A Ña : 1 —!A ča : !A@Q!IA—+!A 


da:!A—>A da : A—>!A 


which are natural for morphisms of Liso, and such that for each object A, 
(!'A, wa, ca, DA, Ga) is a commutative bialgebra in L, and that the following dia- 
grams to commute: 


Id 1E 0 IE d@w+wed 1E 
E 1 IEQ!E 
E IEQIE 
oe ao 
0 IE d®wtwed IE 
-i wa 
1 E 


The above commutative diagrams allow for a direct interpretation of the cut- 
elimination process of DiLLo. Ehrhard shows in particular that the interpretation 
of the structural and co-structural rules of DiLLo only needs the functoriality of 
the exponential on the isomorphisms [6, Sect. 2.5]. Indeed, in a classical model 
of DiLL (that is a model in which the interpretation of the linear negation 
is involutive) functoriality on isomorphisms is needed to guaranty the duality 
between ? and !. Otherwise, the structural exponential rules are interpreted by 
natural transformations c, Z, w, w, d, and d. These natural transformations can 
be constructed as in [8], following a co-monadic structure (!A, w4, wa) on each 
object !A [7, Sect. 2.6]. To sum up: 


Functorality of the exponential on isomorphisms is needed for duality but is not 
needed to interpret finitary proofs as morphisms of a category. 


That we have a model of DiLLo and not of DiLL fits well with our motivation, 
as we are looking for the computational counterpart of type theories modeled 
by analysis. DiLLo is indeed the sequent calculus which is refined into an under- 
standing of Linear Partial Differential Equations in [14] and the meaning of 
promotion with respect to differential equations remains unclear. However, we 
are still able to construct a natural promotion-like morphism for our exponential 
(Definition 13). 
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2.2 Reflexive Spaces and Distributions 


In this paper, we study and use the theory of locally convex topological vector 
spaces [12] to give concrete models of DiLL. Topological vector spaces are a gen- 
eralization of normed spaces or metric spaces, in which continuity is only charac- 
terized by a collection of open sets (which may not necessarily come from a metric 
or a norm). In this section, we highlight some key concepts which hopefully will 
give the reader a better understanding of the difficulties of constructing models 
of DiLL using smooth spaces. We refer respectively to [12] or [18] for details on 
topological vector spaces or distribution theory. 

By a locally convex topological vector space (lcs), we mean a locally con- 
vex and Hausdorff topological vector space on R. Briefly, these are vector space 
endowed with a topology generated by convex open subsets such that the scalar 
multiplication and the addition are both continuous. For the rest of the section, 
we consider FE and F two lcs. 


Definition 2. Denote E ~ F for a linear isomorphism between E and F as 
R-vector spaces, and E ~ F for a linear homeomorphism between E and F as 
topological vector spaces. 


Definition 3. Denote La(E, F) as the Ics of all linear continuous functions 
between E and F, which is endowed with the topology of uniform convergence 
on bounded subsets /12/ of E. When F = R, we denote E’ = £L,(E,R) and is 
called the strong dual of E. 


Definition 4. Let ô : E — E” be the transpose of the evaluation map in F’, 
which is explicitly defined as follows: 


f E —> p" 
i T > õe: (f — f(x) 


A les E is said to be semi-reflexive if ô is a linear isomorphism, that is, E ~ 
E". A semi-reflexive lcs E is reflexive when 6 is a linear homeomorphism, that 
is, E œ F". 


The following proposition is crucial to the constructions of this paper. In 
terms of polarization, it shows how semi-reflexivity is a negative construction, 
while reflexivity mixes positives and negative requirements. 


Proposition 1 /12, Chapter 11.4]. 


— Semi-reflexivity is preserved by projective limits, that is, the projective limit 
of semi-reflexive Ics is a semi-reflexive Ics. 

- Ales E is reflexive if and only if it is semi-reflerive and barrelled, mean- 
ing that every convex, balanced, absorbing and closed subspace of E is a 0- 
neighbourhood. 

— Barrelled spaces are preserved by inductive limits, that is, the inductive limit 
of barrelled spaces is a barrelled space. 


Next we briefly recall a few facts about distributions. 


Higher-Order Distributions for Differential Linear Logic 337 


Definition 5. For each n € N, a function f : R” —+R is said to be smooth 
if it is infinitely differentiable. Let E(R") = C°(R”,R) denote the space of all 
smooth functions f : R”—>R, and which is endowed with the topology of uniform 
convergence of all differentials on all compact subsets of R” [12]. The strong dual 
of E(R”), E’(IR"), is called the space of distributions with compact support. 


We now recall the famous Schwartz kernel theorem, which states that the con- 
struction of a kernel of f ® g € &(R”) @ &(R™) — f -g € €(R"*”) is in fact an 
isomorphism on the completed tensor product &(R")@&(R™): 


Theorem 1 ({18]). For any n,m € N, we have the following: 
E'(R™)@gE'(R™) ~ E'(R"*™) ~ £4(E(R™), E(R")) 


Theorem 2 ((14]). There is a first-order polarized denotational model of DiLLo 
in which the exponential is interpreted as a space of distributions: !(R") := 
&'(R"). 


This interpretation did not generalize to higher-order as we were unable 
to define !E for an infinite dimensional space FE, even for those sharing the 
topological properties of spaces of smooth functions!. For example, the definition 
of !!JR is in no way obvious. This is the problem we tackle in the following sections. 


3 Higher-Order Distributions and Kernel 


In this section we define spaces of higher-order functions and distributions, 
we prove that they are reflexive (Proposition 2) and verify a kernel theorem 
(Theorem 3). 


Definition 6. Let E be a Ics and f : R” — E and g : R” — E be two linear 
continuous injective functions. We say that f < g when n < m and f = gr, 
that is, f = g © tn,m where tnm : R” —> R” is the canonical injection. 


The ordering < in the above definition provides an order on the set of depen- 
dent pairs (n, f) where n € N and f : RN — E is linear injective. This will allow 
us to construct an inductive limit (a categorical colimit) of lcs. 


Definition 7. Let E any lcs. 


1. For every linear continuous injective function f : R” — E, define the les 
E (R”) as follows: 
f f n co n\l 
E, (R”) := C9 (R”) 


1 These spaces are in particular nuclear (F)-spaces, see [14]. 


338 M. Kerjean and J.-S. Pacaud Lemay 


2. Define &'(F), the space of distributions on E, as follows: 


@(E):= lim 6&;(R") 
pRB 


that is, the inductive limit [12, Chapter4.5] (or colimit) in the category 
TOPVEC of the family of lcs {&;(R")|f : R” — E linear continuous inje- 
ctive} directed under the inclusion maps defined as 


Sig: ER") — EFR"), 6 > (h elh o tn,m)) 
when f < g. 


Intuitively this definition of &’(F) says that distributions with compact 
support on E are the distributions with a finite dimensional compact support 
KCR”. 


Proposition 2. For any Ics E, &'(E) is a reflexive Ics. 
The following proposition justifies the notation of &’(R”) from Definition 5. 
Proposition 3. If E ~ R” for some n EN, then &'(E) ~ C™(R")’. 


As &'(E) is reflexive, we give a special (yet obvious) notation for the strong 
dual of &' (E). 


Definition 8. For a reflexive Ics E, let &(E) denote the strong dual of &'(E). 


Since the strong dual of a reflexive lcs is again reflexive [12], it follows by 
Proposition 3 that for any reflexive lcs E, &(£) is also reflexive. 

The strong dual of a projective limit is linearly isomorphic to the inductive 
limit of the duals, however as noted in [12, Chapter 8.8.12], the topologies may 
not coincide. When E is endowed with its Mackey topology (which is the case 
in particular when F is reflexive), then the topologies do coincide. 


Proposition 4. Let E be a reflexive Ics. For every linear continuous injective 
function f : R” — E, define the Ics &;(R”) := C™(R”). Then we have the 


following linear homeomorphism: 


S(E) = lim & R") 
f:R°-E 


where the Ics on the right is the projective limit [12, Chapter 2.6] in TOPVEC 
of the family of Ics {é;(R")| f : R” — E linear continuous injective} with 
projections defined as: 


T 5, f = Sg : ER”) — éR”), g => gO ln,m 


when f <S g. 
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The elements of f € &(£) are families f := (ff) f:rn—p such that if f < g, we 
have that ff = fg © tn,m. The intuition here is that distributions of a reflexive lcs 
F are in fact distributions with compact support on a finite dimensional space, 
or equivalently that smooth functions E —> R are functions which are smooth 
when restricted to R” (viewed as a finite dimensional subspace of Æ). This makes 
it possible to define multinomials on F in the following way: 


i 

a 

P(x € R*) = > aar? er 
Ic{|1,n|] 


where we either embedded or projected R* into R” in the canonical way. 

It also seems possible to provide a setting restricted specifically to higher 
order spaces of distributions and not to every reflexive space. Indeed, we would 
like to describe smooth scalar functions on &(R”) as 


h € &(R") > h(0)? 


taking into account that we have as inputs non-linear functions. This seem to indi- 
cate another direction of research, where we would construct smooth functions 
indexed by Dirac functions ô : R” — E’ = &'(R”) as defined in Definition 4. 
The Kernel Theorem. We now provide the Kernel theorem for spaces &(F). 
Indeed, the spaces of functions are the one which can be described as projective 
limits, and projective limits are the ones which commute with the completed 
projective tensor product r. While we do not provide a proof here, we would 
like to highlight that the proof of this theorem depends heavily on the fact that 
the considered spaces of functions are nuclear spaces [12]. 


Theorem 3. For every Ics E and F, we have a linear homeomorphism: 
E(E)@,E(F) ~ E(E F). 


We now give the definitions of functors ? and !, both of which agree with 
the previous characterization described by the first author in [14] on Euclidean 
spaces R”. However, as discussed in the introduction, while these functors can 
be defined properly on all objects, they will only be defined on isomorphisms. 
So let REFLiso denote the category of reflexive lcs and linear homeomorphism 
between them. 


Definition 9. Define the endofunctor ? : REFLiso —> REFLiso as follows: 
REFLiso —> REFLiso 
E E> &(E') (1) 
L: E—F = U: 6(E')+6(F’) 
where for f € E(E'), the g : R™ — F' component of U(f) € E(F') is defined 
as: 


UPa = vog 


where ¢' : F’ — E' denotes the transpose of £. 
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Note that ?¢: &(E’) —> &(F") is defined by the universal property of the 
projective limit, that is, ?¢ is uniquely defined by post-composing by the projec- 
tions 7, : &(F’)—>&(R") for each linear continuous injective function g :— F”. 
We also note that fyog is well-defined since ¢’ is injective and therefore so is log. 
The universality of the projective limit also insures that ?¢ is an isomorphism 
and that ? is functorial. 


Definition 10. Define the functor ! : REFLiso —> REFLiso on objects as !E := 
(?E')' and on isomorphisms as W = (?0')'. Explicitly, ! is defined as follows: 


REFL;59 —> REFLiso 
E Ew 6(E) (2) 
L: E—F = HEEF’) 


where for the f : R” — E component of f € E'(E), U(f) € E'(F) is defined 


as: 


Ule) = Foo f:R"—-0F 


As before, Z is defined by the co-universal property of the inductive limit, 
that is, M is defined by pre-composition with the injections ur : &(R") > &(E) 
for every linear continuous injective function f : R — E. Functoriality of ! is 
ensured by functoriality of ? and reflexivity of the objects. 


4 Structural Morphisms on the Exponential 


We consider the exponential from the DiLL model of convenient vector spaces 
in [2] as a guideline for defining the structural morphisms on !Z. In that set- 
ting, structural operations can be defined on Dirac operations. For example, the 
codereliction deony maps 6, to x. Here the mapping 6, must be understood as the 
linear continuous function which maps x € E to ((ff)p € @(E’) = f(f-1(a)) € 
&'(E), which we show is well defined below. 


4.1 Dereliction and Co-dereliction 


Definition 11. For a reflexive lcs E, define the following linear continuous mor- 
phism: 

(E)—> E"” ~E 

dp: (3) 


pr (LE E+ $((C0 f) frrr E€ E(E)) 


We stress that dg is a map in REFL and not a map in REFL;.. (though 
sufficient for Definition 1). The map dz is well defined as £o f is a linear contin- 
uous injective function R” — R, and thus is smooth and belongs in particular 
to &(R"). Also, as we are working with reflexive spaces, dg could have been 
described equivalently as a map of the following type: 


E—+7(E) 


ni (ev, 0 f € £(R®,R)) peop (4) 
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Lemma 1. The morphisms dg are natural with respect to linear homeomor- 
phisms, that is, maps of REFLiso. Explicitly, if £ : E —> F e REFLiso then 
dr oll = Lo dg. 


We now study the interpretation of the codereliction d. Let Do 
C(R”) — (R")’ denote the operator which maps a function to its differen- 
tial at 0. 


t—>0 t La Ox; 
4=1 


g re (vert ie, CTOs Lon] 


The operator Do is linear in f € C™(R"”). It is continuous: the reciprocal 
image by Do of the polar Bo, is the set of all functions f € C°(R”) whose 
partial derivatives of order one have maximal value 1 on the compact {0}. This 
contains the set {f]Vi, | Z£(0)| < 1}, which is open in the topology described in 
Definition 5. 

Definition 12. For a reflexive Ics E, define the following linear continuous 
morphism: 


E—!E ~ (6(E)) 
dg: 4 x (fp € CP(R”,R)) jrr > Dofs( f (2)) (5) 
where f is injective such that x € Im(f). 
We should explain why the choice of f~'(a) does not matter. Here f~!(zx) 
is the linear argument of the differentiation. Indeed suppose that f < g, that is, 


f =9°lnm. Thus by definition of the projective limit we have fy = fy © tn,m 
and: 


Dof;(f7" (x)) = Do(£g © tnm) ((g © bn ym) ‘(2)) 
= Dofg(Dotn,m(tnm(9 (2)))) 
= Dofg(tn,m(e ye g '(a))) (as tn,m is linear) 


= Dof, (97 *(«))) 


As any pair of of linear functions f : R” — E and g : R™ —> E is bounded 
by f x g: R"*™ —+ E, we obtain the required uniqueness. 
Similar to the dereliction, the codereliction could alternatively have been 


described as a map of the following type: 
E(B!) +E" ~ E é 
(ff) jrg > (LE E’ ++ Dofs(f-*(2) 


We again stress that dg is not a map in REFLiso. 
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Lemma 2. The morphisms dg are natural with respect to linear homeomor- 
phisms, that is, maps of REFLiso. Explicitly, if £ : E —> F € REFLiso then 
dpol='lodg. 


Finally, we observe that dg and dg satisfy the all-important coherence con- 
dition between derelictions and coderelictions. 


Proposition 5. For a reflexive lcs E, dpo dg = Idp. 


4.2 (Co-)contraction and (Co-)weakening 


In this section, we define the interpretation of the other exponential rules: weak- 
ening w, co-weakening Ù, contraction c, and co-contraction ¢, which will be 
generalized from [14]. We start with weakening and co-weakening, which are 
fairly straightforward. 


Gos Ato 
= br } orl) o: 1+ do: (ff) € E(E) => £(0)) for any f 


According to [8], the rules c and @ are interpreted respectively via the kernel 
theorem and pre-composition with the diagonal E —> E x E and co-diagonal 
E x E —> E maps of the biproduct. This is however not defined in a context 
where ! is functorial only on isomorphisms. Thus we give a direct, component- 
wise interpretation of contraction and co-contraction. 


Pa x E)~!EQ!E 
C: 
er (S,)g:R" GExE = $((S(eeRn+(f(a),f(2)))) fR >E) 


z: ea 
98yr (fp)pprcer o((¢ ER” = y ((y E R” & f(z) + felys) 


where f : R” > E and f': R” GE. 


Theorem 4. The morphisms (w, w, c,c, d,d) satisfy the coherences of exponen- 
tial structure on !E, as detailed in Definition 1. 


We note that this does not give an exponential structure per say since REFL 
is not a monoidal category, as we will explain in Sect. 5. That said, in Sect. 5 we 
are still able to construct a polarized model of DiLLo. 


4.3 Co-multiplication 


The categorical interpretation of the exponential rules of linear logic requires a 
co-monad ! : £L—> L. However in the case of this paper, the exponential ! is 
functorial only on isomorphisms. As such, one cannot interpret the promotion 
rule of Linear Logic, as this requires functoriality of ! on the interpretation of 
any proof (and typically on linear continuous maps which are not isomorphisms). 
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That said, functoriality is the only missing ingredient, and one can still define 
natural transformations of the same type as the co-multiplication and co-unit 
of the co-monad. This section details this point, leaving the exploration of a 
functorial ! for future work. 


Definition 13. For a reflexive lcs E, define the following linear continuous mor- 
phism: 


IF NEB 
Hei) oF Q € (E) = icre") = ga(g™"(9)) (7) 


when ġ € Im(g) and g is injective 


This is well defined, as we can show as for the codereliction (5) that the 
term gy(g~'(¢)) is unique when g : R™ —>!E linear and gg € C3 (R™) varies. 
Moreover there is at least one linear function g : R™® —+!E which has ¢ in its 
image. 


Lemma 3. The morphisms ug are natural with respect to linear homeomor- 
phisms, that is, maps of REFLiso. Explicitly, if L : E —> F e REFLiso then 
bp oll =o ppg. 


Proposition 6. For any reflexive Ics E, digo ug = Idig 


The identity of Proposition 6 is one of the identities of a comonad. The other 
comonad identities require applying ! to u and d, which we cannot do in our 
context as ! is only defined on isomorphisms. 


5 <A Model of DiLLo 


In Sect. 4 we defined the structural morphisms on the exponential and proved 
the equations allowing to interpret proofs of DiLLo by morphisms in REFL, 
independent of cut-elimination. We now detail which categories allow to interpret 
formulas of MALL. This will be done in a polarized setting generalizing the one 
of [14]. 


Polarization. So far we have constructed an exponential ! : REFLiso—>REFLiso 
which is strong monoidal. However, the category of reflexive spaces is too big to 
give us a model of DiLLo. Interpreting the multiplicative connective requires a 
monoidal setting, and reflexive spaces are not stable by topological tensor prod- 
ucts. If we study more closely the definition of spaces of higher-order smooth 
functions, we see that their reflexivity follows from a more restrictive class of 
spaces. These spaces are however not stable by duality, thus resulting in a polar- 
ized model of DiLLo. 

In this section we briefly show how the techniques develop above constructs 
a polarized model of DiLLo. The syntax of polarized (Differential) Linear Logic 
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[16] is recalled below. A distinction is made between positive formulas (preserved 
by ® and @) and negative formulas (preserved by 7? and &). The same deduction 
rule apply. 


Negative Formulas: N, M := 1|1||?P|N 28 M|N x M|P+ 
Positive Formulas: P,Q := T|0|!N|P @ Q|P 6 Q|N+ 


Models of polarized linear logic are axiomatized categorically as an adjunction 
between a category of positives and a category of negative, where two interpre- 
tations for negation play the role of adjoint functors. These categories obey the 
axiomatic of chiralities [17]. 


Additives. Interpreting the additive connectives of linear logic is straightfor- 
ward. The product x and coproduct ® of lcs are linearly homeomorphic on 
finite indexes and therefore give biproducts, which leads to the usual commuta- 
tive monoid enrichment as described in [8]. 


Multiplicatives. When sticking to finite dimensional spaces or normed spaces, 
duality is pretty straightforward in the sense that the dual of a normed space is 
still normed. This, however, is no longer the case when one generalizes to metric 
spaces. Indeed, the dual of a metric space may not be endowed with a metric. A 
Fréchet space, or (F)-space, is a complete and metrizable lcs. The duals of these 
spaces are not metrizable in general, but they are (DF)-spaces (see [10] for the 
definition): 


Proposition 7 ({11] IV.3.1). 


— If E is metrizable, then its strong dual E" is a (DF)-space. 
- If E is a (DF)-space, then E' is an (F)-space. 


Typical examples of nuclear (F)-spaces are the spaces of smooth functions 
&(R”), while typical examples of nuclear (DF)-spaces are the spaces of distribu- 
tions with compact support &’(R"). In particular, all these spaces are reflexive. 
In [14], the first author interpreted positive formulas as Nuclear (DF)-spaces, 
while negative formulas were interpreted as (F)-spaces. Following the construc- 
tion of Sect. 3, we will consider respectively inductive limits and projective lim- 
its. 


Definition 14. A Ics is said to be a LNF-space if it is a regular projective limit 
of nuclear Fréchet spaces. The category of LNF-spaces and linear continuous 
injective maps is denoted LNF. A lcs E is said to be a LNDF-space if it is an 
inductive limit of nuclear complete (DF)-spaces. 


Proposition 8. 1. A LNF-space E is reflexive. 
2. The dual of a LNF-space is a LNDF-space. 


The above proposition can be proven using the same techniques as computing 
the dual of &(£). 

The difficulty of constructing a model of MLL in topological vector spaces 
is choosing the topology which will make the tensor product associative and 
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commutative on the already chosen category of lcs. Contrary to what happens 
in a purely algebraic setting, the definition of a topological tensor product is not 
straightforward and several topologies can be defined, with each corresponding 
to a different notion of continuity for bilinear maps [10]. On nuclear spaces, 
such as &(R”) and &’(R"), most of these tensor product coincide with one 
another. In [14], both multiplicative connectors (® and 7%) were interpreted as 
the completed projective (equivalently injective) tensor product p (see [12, 15.1 
and 21.2]) This property is lost when working with limits. However, there is still 
a good interpretation of 7? for LNF spaces (which are thus the interpretation 
of negatives formulas). Indeed, the completed injective tensor product s of a 
projective limit of lcs is the projective limit of the completed injective tensor 
products [12, 16.3.2]. Taking the duals of Theorem 3 applied to E’ and F” gives 
the following: 


Proposition 9. For any reflexive spaces E and F we have a linear homeomor- 
phism: 


?EÊ.?F ~ (E F). 


and shows that 9? is interpreted by ®-. The multiplicative conjunction ® is 
interpreted as the dual of ®-, which may not be necessarily linearly homeomor- 
phic to p. 


6 Conclusion 


In this paper, we extended the polarized model of DiLL without higher order 
constructed in [14] to a higher-order polarized model of DiLLo. The motivating 
idea was that computation on spaces of functions used only a finite number of 
arguments. This lead to constructing an exponential on a reflexive lcs as an 
inductive limit of exponentials of finite dimensional vector spaces. While this 
exponential is only functorial for linear homeomorphisms we were still able to 
provide structural morphisms interpreting (co)weakening, (co)contraction, and 
(co)dereliction, and hints of a co-monad. 

The next step would be to extend the definition of the exponential in this 
paper to an interpretation of the promotion rule and thus of LL — this could 
be done through epi-mono decomposition of arrows in REFL. Another task is to 
properly work out which tensor product of reflexive space will provide a model 
of DiLL. Such a model should use chiralities [17], and underline the similarities 
between shifts and (co-)dereliction. 

More generally, this works highlights again that the interpretation of the 
exponential in lcs relies on a computing principle. Indeed, it always requires find- 
ing a higher-order extension of distributions. While what we have constructed 
here relies on a finitary principle, the construction of a free exponential in [3] 
relies on the principle that higher-order operations are computed on Dirac dis- 
tributions ôs. That is, the exponential is constructed following a discretization 
scheme. The appearance of such numerical methods in a semantic study of DiLL 
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provides another link between theoretical computer science and mathematical 
physics. This opens the door to studying relating numerical schemes of numerical 
analysis and the theoretical study of programming language. 
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Abstract. We consider a language together with the subword relation, 
the cover relation, and regular predicates. For such structures, we con- 
sider the extension of first-order logic by threshold- and modulo-counting 
quantifiers. Depending on the language, the used predicates, and the 
fragment of the logic, we determine four new combinations that yield 
decidable theories. These results extend earlier ones where only the lan- 
guage of all words without the cover relation and fragments of first-order 
logic were considered. 


Keywords: Subword order - First-order logic - Counting quantifiers - 
Decidable theories 


1 Introduction 


The subword relation (sometimes called scattered subword relation) is a simple 
example of a well-quasi ordering [7]. This property allows its prominent use in the 
verification of infinite-state systems [4]. The subword relation can be understood 
as embeddability of one word into another. This embeddability relation has been 
considered for other classes of structures like trees, posets, semilattices, lattices, 
graphs etc. [8-11, 14-16, 22, 23). 

We are interested in logics over the subword order. Prior work on this has 
concentrated on first-order logic where the universe consists of all words over 
some alphabet. In this setting, we already have a rather precise picture about the 
border between decidability and undecidability: For the subword order alone, the 
+*-theory is decidable [17] and the 3*V*-theory is undecidable [6,12]. If we add 
constants to the signature, already the 4*-theory becomes undecidable [6]. With 
regular predicates, the two-variable theory is decidable, but the three-variable 
theory is undecidable [12]. 

Thus, the decidable theories identified so far leave little room to express 
natural properties. First, the universe is confined to the set of all words and 
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predicates for subsets quickly incur undecidability. Moreover, neither in the 3*-, 
nor in the two-variable fragment of first-order logic, one can express the cover 
relation E (i.e., “u is a proper subword of v and there is no word properly between 
these two”). As another example, one cannot express threshold properties like 
“there are at most k subwords with a given property” in any of these two logics. 

In this paper, we aim to identify decidable logics that are more expressive. 
To that end, we consider four additions to the expressivity of the logic: 


— Instead of all words over some alphabet, the universe is a language L. 
— We add regular predicates or constants to the structure. 

— Besides the subword order, we also consider the cover relation C. 
— We add threshold and modulo counting quantifiers to the logic. 


Formally, this means we consider structures of the form 


(L, E; E, (K N L)x regular> (w)weL), 


where the universe is a language L C X*, EC is the subword ordering, E is the 
cover relation, there is a predicate KML for each regular K C X*, and a constant 
symbol for each w € L. Moreover, we consider fragments of the logic C+MOD, 
which extends first-order logic by threshold- and modulo-counting quantifiers. 

The key idea of this paper is to find decidable theories by varying the uni- 
verse L and thereby either (i) simplify the structure (L, E) enough to obtain 
decidability even with the extensions above or (ii) generalize existing results 
that currently only apply to L = X*. This leads to the following results. 


1. First, we require L to be bounded. This means, we have L C wj---w*, 
for some words w1,..., Wm E X*. Then, as soon as L is context-free, the 
C+MOD-theory of the whole structure is decidable (Theorem 3.4). 

2. To lift the boundedness restriction, we show that if L is regular, we still 
obtain decidability for the whole structure if we stay within the two-variable 
fragment C+MOD? (Corollary 4.8). This generalizes the decidability of the 
FO?-theory without the cover relation as shown in [12, Theorem 5.5]. 

3. Moreover, we consider a regular universe, but lift the two-variable 
requirement. To get decidability, we restrict quantifiers and available pred- 
icates: We show that for regular L, the X1-theory of the structure (L,C) 
is decidable (Theorem 5.1). In the case L = X*, this had been shown in 
(17, Prop. 2.2]. 

4. Finally, we place a further restriction on L, but in return obtain decidability 
with constants. We show that if L is regular and every letter is “frequent” in L 
(see Sect. 6), then the X-theory of the structure (L, E,(w)wer) is decidable 
(Theorem 6.2). Note that, by [6, Theorem 3.3], this theory is undecidable if 
L= 3". 


Our first result is shown by a first-order interpretation of the structure in 
(N,+). Since L C wi{---w*, instead of words, one can argue about vectors 
(a1,..-,2n) E€ N” for which wi!---w% € L. For the interpretation, we use 
the fact that semilinearity of context-free languages yields a Presburger formula 
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expressing wy'--- wt» € L for (x1,...,£n) E€ N”. Moreover, Presburger defin- 
ability of w[?---w2» C wi! +++ w for (£1,..., £n) E€ N” and (y1,..-, Yn) E€ N” is 
a simple consequence of the subword relation being rational, which was observed 
n [12]. The first-order interpretation of our structure in (N, +) then enables us 
to employ decidability of the C+MOD-theory of the latter structure [1,5,21]. 
(Note that this decidability does not follow directly from Presburger’s result 
since in first-order logic, one cannot make statements like “the number of wit- 
nesses z € N satisfying ... is even”). A similar interpretation in (N, +) was used 
in [6] for various algorithms concerning (©*,C,(w)wes~) for fragments of FO 
related to bounded languages. 

Our second result extends an approach from [12] for decidability of the FO?- 
theory of the structure (©*,C, (L)r regular). The authors of [12] provide a quan- 
tifier elimination procedure showing that every unary relation FO?-definable in 
this structure is regular. Our extended quantifier-elimination procedure uses the 
same invariant, now relying on the following two properties: 


— The class of regular languages is closed under counting images under unam- 
biguous rational relations. 
This can be shown either directly or (as we do here) using weighted 
automata [20]. 

— The proper subword, the cover, and the incomparability relation are unam- 
biguous rational. 


Our third result extends the decidability of the Xı-theory of (X*, E) 
from [17]. In [17], decidability is a consequence of the fact that every finite 
partial order can be embedded into (X*, C) if |X| > 2. This certainly fails for 
general regular languages: (a*, E) can only accomodate linear orders. However, 
we can distinguish two cases: If L is a bounded language, then decidability of 
the X1-theory of (L, E) follows from our first result. If L is not bounded, then 
we show that again every finite partial order embeds into (L, E). To this end, 
we first extend a well-known property of unbounded regular languages, namely 
that there are x,u,v,y E€ X* with x{u,v}*y C L such that |u| = |v| and u Æ v. 
We show that here, u,v can be chosen so that uv is a primitive word. We then 
observe that for large enough n, any embedding of the word (uv)”"~ into (wv)” 
must hit either the left-most position or the right-most position in (wv)”. This 
enables us to argue that for large enough n, sending a tuple (t1,...,¢m) € {0,1}™ 
to xv"! (uv)” --- v*™ (uv)”y is in fact an embedding of ({0,1}™,<) into (Z,C), 
where < denotes coordinate-wise comparison. Since any partial order with < m 
elements embeds into ({0,1}™,<), this completes the proof. 

Regarding our fourth result, we know from [6] that decidability of the 
Xı-theory of (L,C,(w)wer) does not hold for every regular L: Undecidability 
holds already for L = {a,b}*. Therefore, we require that every letter is frequent 
in L, meaning that in some automaton for L, every letter occurs in every cycle. 
In case L is bounded, we can again invoke our first result. If L is not bounded, 
we deduce from the frequency condition that for every w € X*, there are only 
finitely many words in L that do not have w as a subword. Removing those 
finitely many words preserves unboundedness, so that every finite partial order 


Languages Ordered by the Subword Order 351 


embeds in L above w. We then proceed to show that for such languages, any 
+/,-sentence is effectively equivalent to a sentence where constants are only used 
to express that all variables take values above a certain word w. Since every 
finite partial order embeds above w, this implies decidability. 

The full version of this work is available as [18]. 


2 Preliminaries 


Throughout this paper, let X be some finite alphabet. A word u = aja2...Qm 
with aj,d@2,...,@m E X is a subword of a word v € X* if there are words 
U0; U1,+++,;Um E X* with v = v9a v1 A2V2 +++ AmUm. In that case, we write u C v; 
if, in addition, u Æ v, then we write u C v and call u a proper subword of v. If 
u,w E€ X* such that u C w and there is no word v with u C v C w, then we say 
that w is a cover of u and write ul w. This is equivalent to saying u E w and 
|u| + 1 = |w| where |u| is the length of the word u. If neither u is a subword of 
v nor vice versa, then the words u and v are incomparable and we write u || v. 
For instance, aa C babbba, aa C aba, and aba || aabb. 


Let S = (L, (Ri)ier, (wy) jer) be a structure, i.e., L is a set, R; C L™ isa 
relation of arity n; (for all i € J), and w; € L for all j € J. Then, formulas y of 
the logic C+MOD are defined by the following grammar: 


p mod ag 


p: = (s = t) | Ri(si,...,8n,) |7 | eV ¢ | deg | Ire] 


where s,t,51,...,5n, are variables or constants wj with j € J, i € I, k € N, and 
p,q € N with p < q. We call IÈ} a threshold counting quantifier and 3P ™°4 4 
a modulo counting quantifier. The semantics of these quantifiers is defined as 


follows: 


—S 
—S 


Zira iff |{weL|SEa(w)}| >k 
p mod aza iff |{weL|S H a(w)}| ep+qN 


0 mod 2 


For instance, 3 x a expresses that the number of elements of the structure 
satisfying a is even. Then (3° ™°¢ 2z a) Vv (3! ™°4 2x a) holds iff only finitely many 
elements of the structure satisfy a. The fragment FO+MOD of C+MOD com- 
prises all formulas not containing any threshold counting quantifier. First-order 
logic FO is the set of formulas from C+MOD not mentioning any counting quan- 
tifier. Let X1 denote the set of first-order formulas of the form 4x, 3x92... I£: Y 
where w is quantifier-free; these formulas are also called existential. 

The threshold quantifier 32” can be expressed using the existential quantifier, 
only. Consequently, the logics FO+MOD and C+MOD are equally expressive. 
The situation changes when we restrict the number of variables that can be 
used in a formula: Let FO+MOD? and C+MOD? denote the set of formulas 
from FO+MOD and C+MOD, respectively, that use the variables x and y, only. 
Then, the existence of >3 elements in the structure is expressible in C+MOD?, 
but not in FO+MOD?. 
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In this paper, we will consider the following structures: 


— The largest one is (L,C, C, (K NL) x regular, (W) wer) for some L C X*. The 
universe of this structure is the language L, we have two binary predicates 

(E and C), a unary predicate K N L for every regular language K, and we 
can use every word from L as a constant. 

— The other extreme is the structure (L, E) for some L C X* where we consider 
only the binary predicate C. 

— Finally, we will also prove results on the intermediate structure (L, C, (w)wez) 
that has a binary relation and any word from the language as a constant. 


For any structure S and any of the logics £, the £L-theory of S is the set of 
sentences from £ that hold in S. 


A non-deterministic finite automaton is called non-degenerate if every state 
lies on a path from an initial to a final state. A language L C X* is bounded 
if there are a number n € N and words w1, w2,..., Wn E€ X* such that L C 
wł w3 +: wž. Otherwise, it is unbounded. 

For a monoid M, a subset S C M is called rational if it is a homomorphic 
image of a regular language. In other words, there exists an alphabet A, a regular 
R C A*, and a homomorphism h: A* > M with S = h(R). In particular, if 
X1, X are alphabets and M = XY x X3, then a subset S C XY x X3 is rational 
iff there is an alphabet A, a regular R C A*, and homomorphisms h;: A* — 3’? 
with S = {(hi(w), ho(w)) | w € R}. This fact is known as Nivat’s theorem [2]. 

For an alphabet I’, a word w € I*, and a letter a € I, let |w|, denote the 
number of occurrences of the letter a in the word w. The Parikh vector of w is 
the tuple Wp(w) = (|wla)acr € NT. Note that Wp is a homomorphism from the 
free monoid T™* onto the additive monoid (NT, +). 


3 The FO+MOD-Theory with Regular Predicates 
The aim of this section is to prove that the full FO+MOD-theory of the structure 


(L, cE, E, (K N L)x regular> (W) we) 


is decidable for L bounded and context-free. This is achieved by interpreting 
this structure in (N, +), i.e., in Presburger arithmetic whose FO+MOD-theory 
is known to be decidable [1,5,21]. We start with three preparatory lemmas. 


Lemma 3.1. Let K C X* be m W1,-+-;Wn E X*, and g: N” — X* 
be defined by g(m) = wy" ws? ++ wi" for all m = (m1, M2,..., Mn) E N”. The 
set g '(K) = {me N” i gm) € Ky is effectively semilinear. 


Proof. Let I’ = {a1,a@2,...,@n} be an alphabet and define the monoid homo- 
morphism f: T* > X* by f(a;) = w; for all i € [1, n]. 

Since the class of context-free languages is effectively closed under inverse 
homomorphisms and under intersections with regular languages, the language 


L= f (K) N aţa}: a% = {u € aïa3 +- a% | f(u) € K} 
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is effectively context-free. Its Parikh image Wr(L) C N” is effectively semilin- 
ear [19]. Moreover, ¥r(L) equals the set g~!(K) from the lemma. 


Lemma 3.2. Let wi,...,Wn E X* and g: N” — X* be defined by g(m) = 
wy? ++. wi" for all m = (m1, M2,..., Mn) E N”. The set {(m,7) € N” x 
N” | gm) E g(7)} is semilinear. 


Proof. Let IT = {a1,a2,...,an} be an alphabet and define the monoid homo- 
morphism f: T* => X* by f(a;) = w; for all i € [1,n]. One first shows that 


So = {(u,v) | u,v € aïa3...ap, f(v) E f(v)} 


is rational. We now employ Nivat’s theorem. It tells us that there are a regular 
language R over some alphabet A and two homomorphisms h1, ho: A* — I™* 
so that we can write S2 = {(hi(w),h2(w)) | w € R}. Since R is regular, its 
Parikh-image W4 (R) = {Wa(w) | w € R} is semilinear [19]. There are monoid 
homomorphisms p1, po: Nô — N” with Wp(h;(w)) = pi(Wa(w)) for all i € {1,2} 
and w € A*. With these, the image H = {(pi(Wa(w)), pa(Wa(w))) | w € R} 
of the set Ya(R) under the monoid homomorphism (p1, p2): N4 — N” x N” is 
semilinear. It turns out that this set equals the set from the lemma. 


Lemma 3.3. Let w1, W2,..., Wn E &*, L C wiws:--w* be context-free, and 
g: N” — X* be defined by g(m) = w w3? --- w” for every tuple m = 
(M1, M2,..., Mn) E N”. Then there exists a semilinear set U C N” such that g 


maps U bijectively onto L. 


Proof. The set U contains, for each u € L, the lexicographically minimal tuple 
m € N” with g(m) = u. Then, Lemmas3.1 and 3.2 and the closure of the class 
of semilinear sets under first-order definitions imply the required properties. 


Now we can prove the main result of this section. 


Theorem 3.4. Let L C X* be context-free and bounded. Then the FO+MOD- 
theory of (L,C,G,(K OL)k regular, (W)weL) is decidable. 


Proof. It suffices to prove the decidability for the structure S = (L,C, (K N 
L)K regular) since the theory of the structure from the theorem can be reduced 
to that of S (x Ey gets replaced by its definition and zĝw by dy: y E€ {w} A «Oy 
where @ is any binary relation symbol). 

Since L is bounded, there are words w1, W2,..., Wn E X* such that L is 
included in wł wà +: wš. For an n-tuple Mm = (M1, M2,..., Mn) € N” we define 
gm) = w wg? wmr e XL”. 


1. By Lemma 3.3, there is a semilinear set U C N” that is mapped by g bijec- 
tively onto L. 

2. The set {(m, n) | gm) E g(T)} is semilinear by Lemma 3.2. 

3. For any regular language K C X* the set {m € N” | gm) € K} C N” is 
effectively semilinear by Lemma 3.1. 
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From these semilinear sets, we obtain first-order formulas A(T), o(Z,y), and 
&«(Z) in the language of (N, +) such that, for any m,n € N”, we have 


N,+) = Am) 4 mew, 
o(m, n) 4> g(m) E g(7), and 
N, +) =E kkm) <> gm) cK. 


—_~—- — 
Z 
} 
w 
l 


ne then defines, from an FO+MOD-formula y(21,...,7%) in the language of 
S, an FO+MOD-formula y’(71,...,%%) in the language of (N, +) such that 


(N, +) E g'am,- m) + SE olg(m),..., gE). 


(This construction can be found in the full version [18] and increases the formula 
size at least exponentially.) 

Consequently, any sentence y from FO+MOD in the language of S is trans- 
lated into an equivalent sentence y’ in the language of (N, +). By [1,5,21], valid- 
ity of the sentence y’ in (N, +) is decidable. 


4 The C+MOD?-Theory with Regular Predicates 


It is the aim of this section to show that the C+MOD?-theory of the structure 


(L,E,G,(K N L)k regular, (W) wer) is decidable for any regular language L. To 
this aim, we first show that the C+MOD?-theory of 
S= (2*, Ç, C, (L)r regular) 


is decidable. This decidability proof extends the proof from [12] for the decidabil- 
ity of the FO?-theory of (X*, C, (L) regular). It provides a quantifier-elimination 
procedure (see Sect. 4.3) that relies on the following two properties: 


1. The class of regular languages is closed under counting images under unam- 
biguous rational relations (Sect. 4.2) and 

2. the proper subword, the cover, and the incomparability relation are unam- 
biguous rational (Sect. 4.1). 


4.1 Unambiguous Rational Relations 


Recall that, by Nivat’s theorem, a relation R C X* x X* is rational if there exist 
an alphabet I’, a homomorphism h: T* — X* x X*, and a regular language 
S C I™* such that h maps S' surjectively onto R. We call R an unambiguous 
rational relation if, in addition, h maps S injectively (and therefore bijectively) 
onto R. Note that these are precisely the relations accepted by unambiguous 
2-tape-automata. 

While the class of rational relations is closed under unions, this is not the 
case for unambiguous rational relations (e.g., R = {(a™ba”,a™) | m,n € N} U 
{(a™ba", a”) | m,n € N} is the union of unambiguous rational relations but not 
unambiguous). But it is closed under disjoint unions. 
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Lemma 4.1. For any alphabet X, the cover relation E and the relation C \C 
are unambiguous rational. 


Proof. For i € {1,2}, let X; = X x {i} and I = X1 U X2. Furthermore, let the 
homomorphism proj; : T* — X* be defined by proj;(a, i) = a and proj,(a,3—i) = 
e for alla € X. Finally, let the homomorphism proj: [* — X* x X* be defined 
by proj(w) = (proj, (w), projo(w)). 


— The regular language 


Sub = (U ((22 \ {(a,2)})* (a,2) 0) vy. 


acs 


is mapped bijectively onto the subword relation. 
— Let S be the regular language of words from Sub with precisely one more 
occurrence of letters from Xs than from %',. Then S is mapped bijectively 
onto the relation Œ, hence this relation is unambiguous rational. 
— Similarly, let S’ denote the regular language of all words from Sub with at 
least two more occurrences of letters from Xə than from X. It is mapped 
bijectively onto the relation C \G, i.e., C \E is unambiguous rational. 


Lemma 4.2. For any alphabet X, the incomparability relation 


|| = {(u,v) € &* x X* | neither u E v nor v E u} 
is unambiguous rational. 
Proof. We will show that the following three relations are unambiguous rational: 


1. Ry = {(u,v) | lu] < |v| and not u E v}, 
2. Rə = {(u,v) | Ju] = |v| and u ¥ v}, and 
3. Ra = {(u,v) | Ju] > |v] and not v E u}. 
The result follows since || is the disjoint union of these relations. Let X;, I’, proj,, 
and proj be defined as in the previous proof. First, the regular language 


Inco = (372 571)* {(a, 2)(b, 1) | a,b € X.a Æ b} i (D251). 


is mapped by proj bijectively onto Rə. 
From [12, Lemma 5.2], we learn that (u,v) € Ri U Re if, and only if, 


—u=aj,a2...aeu’ for some £ > 1, a1,...,@ E X, u! € X*, and 
-= v € (X \ {a1} “a1 (X \ {a2})*a2 + (X \ {ae-1})*ae-1 (X \ {ae} ) to" for some 
word v’ € &* with |u’| = |v’. 


Consequently, proj maps the following language bijectively onto Rı U Ro: 


Inci2 = (u (22 \ {(a, 2)})* (a, 2) (a, »)) U (22 \ {(a, 2)})* (a, 1)) (5251 )" 


acX acy 


and since Incz C Inc 2, proj maps Inc; = Inc: 2 \ Inc2 bijectively onto R1. The 
claim regarding Rg follows analogously. 
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4.2 Closure Properties of the Class of Regular Languages 


Let R C X* x X* be an unambiguous rational relation and L C X* a regular 
language. We want to show that the languages of all words u € X* 


with |{v € L| (u,v) € RH Sk (1) 
(with |{v € L | (u,v) € R}| € p + qN, respectively) (2) 


are effectively regular for all k € N and all 0 < p < q, respectively (this does 
not hold for arbitrary rational relations). It is straightforward to work out direct 
automata constructions for this. However, the full details of this are somewhat 
cumbersome. Instead, we provide a proof via weighted automata, which enables 
us to split the two constructions into several simple steps. 

Let S be a semiring. A function r: X* — S is realizable over S if there 
are n € N, \ € S13”, a homomorphism u: =* — S”"*", and v € $”*! with 
r(w) = à- u(w)- v for all w € X*. The triple (A, u,v) is a presentation of 
dimension n or a weighted automaton for r. 

In the following, we consider the semiring N°, i.e., the set NU {oo} together 
with the commutative operations + and - (with z + o0 = oo for all x € NU {oo}, 
z- o0 = œ for all  € (NU {co}) \ {0}, and 0- o0 = 0). Sometimes, we will argue 
about sums of infinitely many elements from N°, which are defined as expected. 


Proposition 4.3. Let I and X be alphabets, f: T* — X* a homomorphism, 
and x: I* — N” a realizable function over N°. Then the following function r 
is effectively realizable over N”: 


r=xo ft: X* — N”: um 5 x(w) 
wel* 
f(w)=u 


Proof. The homomorphism f can be written as f = foo fı where fı: T* — I* 
is non-expanding (ie., fi(a) € TU {e} for all a € I) and fo: T* > X* is 
non-erasing (i.e., fo(a) € X* for all a € T). Then r = (yo fī) o fy’. Then 
x’ =x0 fī" is effectively realizable by [3, Lemma 2.2(b)]. 

Let (A, u,v) be a presentation of dimension n for x’. For o € XU {e}, set 
I, = {bET | fo(b) =o}. Furthermore, define the matrix M e (N%°)"*” by 


uM e if there is w € IF with n < |w| < 2n and p(w); > 0 
ij = 


uers» H(w)ij otherwise. 


Then Mij = J uer: U(w)iz for all i, j € [1,n]. Setting 1’ = A- M and 


u (a) = 5 (u(b) - M) for all a € X 
bET 


defines the presentation (A', w’, v) for the function r = x’ o fz". 
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Lemma 4.4. Let RC &* x X™* be an unambiguous rational relation and L C X* 
be regular. Then the following function r is effectively realizable over N°: 


r: X* => N”: um {vE L | (u,v) € RY 


Proof. Since R is unambiguous rational, so is RM (X* x L), i.e., there are an 
alphabet I’, homomorphisms f,g: T* — X*, and a regular language Sz C I* 
such that 

(f, g): T* > X* x X*: we (f(w), g(w)) 


maps Sz bijectively onto R N (X* x L). Since Sz is regular, its characteristic 
function y is effectively realizable by [20, Prop. 3.12]. One then shows that r is 
the function yo f~! as in Proposition 4.3. 


We now come to the main result of this section. 


Proposition 4.5. Let RC X* x X* be an unambiguous rational relation and 
L C &™ be regular. Then, fork € N and for p,q E N with p < q, the set H of 
words w satisfying (1) and (2), respectively, is effectively regular. 


Let R denote the rational relation mentioned before Lemma 4.1. Then a word 
a™ ba” has >2 “R-partners” iff it has an even number of “R-partners” iff m Æ n. 
Hence, the above proposition does not hold for arbitrary rational relations. 


Proof. Let r be the function from Lemma 4.4. Setting x = y iff x = york < 
x,y < oo defines a congruence = on N®. Then S?° = N° /= is a finite semiring 
and the function s: X* — SẸ: u œ> [r(u)] is effectively realizable. Since the 
semiring S? is finite, the “level sets” s~'({i]) = {u € X* | s(u) = i} are 
effectively regular by [20, Prop. 4.5]. Since s~+([k])Us~1([oo]) is the language of 
words u satisfying (1), the first result follows. 

For the second language, we consider the congruence = C N x N% with 
c=yiffe=yorg<az,y<owandr—yeEn. 


4.3 Quantifier Elimination for C+MOD? 


Our decision algorithm employs a quantifier alternation procedure, i.e., we will 
transform an arbitrary formula into an equivalent one that is quantifier-free. 
As usual, the heart of this procedure handles formulas Y = Qyy where Q is 
a quantifier and y is quantifier-free. Since the logic C+MOD? has only two 
variables, any such formula w has at most one free variable. In other words, it 
defines a language K. The following lemma shows that this language is effectively 
regular, such that w is equivalent to the quantifier-free formula x € K. 


Lemma 4.6. Let v(x, y) be a quantifier-free formula from C+MOD? in the lan- 
guage of the structure S = (X*, C, E, (L)L regular). Then the sets 


{xe S*|SE 


ZEY} and {x € X* | S — 3? mod 1yo} 


are effectively regular for all k E€ N and all p,q E N with p < q. 
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Proof. Since y is quantifier-free, we can rewrite it into a Boolean combination 
of formulas of the form x € K and y €E L for some regular languages K and L, 
x E y and y E x, and xz Cy and yE z. 

There are six possible relations between the two variables x and y in the 
partial order: we can have x = y, x Ey or vice versa, x C yA7aEy or vice versa, 
or x || y. Let 0i(x,y) for 1 < i < 6 be formulas describing these relations. 

Hence ¢ is equivalent to Vi<i<e (bi A ọ). In this formula, any occurrence of 
p appears in conjunction with precisely one of the formulas 6;. Depending on 
this formula 6; (i.e., the relation between x and y), we can simplify y to y; by 
replacing the atomic subformulas that compare x and y by true or false. As a 
result, the formula ¢ is equivalent to \/;<;<¢(: ^ yi) where the formulas y; are 
Boolean combinations of formulas of the form x € K and y € L for some regular 
languages K and L. 

Now let k € N. Since the formulas 6; are mutually exclusive, we get 


I*yp=3"y V (Ag) = = A uO ng) 


1<i<6 ) 1<i<6 


where the disjunction (*) extends over all (ki,...,k¢) € N° with Ji 2,<¢ ki = k. 
Hence it suffices to show that E 


{x € E* | Iy (0 A y)} (3) 


is effectively regular for all 1 < 7 < 6, all k € N, and all Boolean combinations 
y of formulas of the form x € K and y € L where K and L are regular lan- 
guages. We can find regular languages Km and Lm and a finite set J such that 
y is equivalent to V mer (£ E Ku Ay € Lm) and such that this disjunction is 
exclusive. Hence the set from (3) equals the union of the sets 


{x Ee D“ | ey (0A E Ku Aye Lm)} = Ku {ax E &* | qA*y e Lm: 0i} 
eS 
Hm 
for M € I. The set Hy, is effectively regular by Proposition 4.5 and Lemmas 4.1 


and 4.2. Since the language in the claim of the lemma is a Boolean combination 
of such sets, the first claim is demonstrated; the second follows similarly. 


The only atomic formulas with a single variable x are x € L with L regular, 
x = x, x E x (which are equivalent to x € X*), and x E æ (which is equivalent 
to x € Ø). Hence, any quantifier-free formula with a single free variable x is a 
Boolean combination of statements of the form x € L. Lemma 4.6 thus implies: 


Theorem 4.7. Let S = (©*,£,6,(L)r regular). Let p(x) be a formula from 
C+MOD?. Then the set {x € 5 | S H| p} is effectively regular. 


Corollary 4.8. Let L C X* be a regular language. Then the C+MOD?-theory 
of the structure Sz = (L,C, C, (KA L)kK regular, (w)weL) is decidable. 
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Proof. Let y € C+MOD? be a sentence. We build yy by (1) restricting all 
quantifications to L, (2) replace xOw by 3y: y E€ {w} A zy, and dually for yOw 
for all w € L and all binary relations @. 

With S the structure from Theorem 4.7, we obtain S = yr SL Fy. 
By Theorem 4.7, the language {x | S H yz} is regular (since yz is a sentence, 
it is Ø or X*). Hence yy holds iff this set is nonempty, which is decidable. 


5 The »&,-Theory 


In this section, we study for which regular languages L the %-theory of the 
structure (L,C) is decidable. If L is bounded, then decidability follows from 
Theorem 3.4. In the case of (X*, E), decidability is known as well [17]. Here, we 
prove decidability for every regular language L. Note that in terms of quantifier 
block alternation, this is optimal: The »5-theory is undecidable already in the 
simple case of ({a,b}*, E) [6]. 


Theorem 5.1. For every regular L C X*, the Xı-theory of (L,C) is decidable. 


Observe that very generally, the Xı-theory of a partially ordered set (P, <) is 
decidable if every finite partial order embeds into (P, <): In that case, a formula 
with n variables is satisfied in (P,<) if and only if it is satisfied for some finite 
partial order with at most n elements. This is used to obtain decidability for the 
case L = X* with || > 2 in [17]. 

As mentioned above, if L is bounded, decidability follows from Theorem 3.4. 
If L is unbounded, it is well-known that there is a subset x{p,q}*y C L such that 
|p| = |q| and p Æ q (see Lemma 5.2). Since in that case, the monoids ({a, b}*, -) 
and ({p, q}*,-) are isomorphic, it is tempting to assume that ({a, b}*,C) embeds 
into ({p,q}*,C) and thus into (a#{p, q}*y,C). However, that is not the case. If 
L = {ab,ba}*, then the downward closure of any infinite subset of L includes 
all of L. Since, on the other hand, ({a,b}*, E) has infinite downward closed 
strict subsets such as a*, it cannot embed into (£,C). Nevertheless, the rest 
of this section demonstrates that every finite partial order embeds into (L, E) 
whenever L is an unbounded regular language. By the previous paragraph, this 
implies Theorem 5.1. 

We recall a well-known property of unbounded regular languages. 


Lemma 5.2. If LC X* is not bounded, then there are x,y,p,q E X* such that 
Ipl = lal, p # 4, and x{p,g}*y C L. 


Proof. Let A be any non-degenerate deterministic finite automaton accepting 
L. Then at least one strongly connected component of A is not a cycle since 
otherwise, L would be bounded. Hence, there is a state s and prefix-incomparable 
words u, v, each of which is read on a cycle starting in s. Since u and v are prefix- 
incomparable, the words p = uv and q = vu are distinct, but equally long. Since 
A is non-degenerate, there are words x,y E€ X* with x{p,q}*y C L. 


360 D. Kuske and G. Zetzsche 


To have some control over how words can embed, we prove a stronger version 
of Lemma 5.2. Two words p,q E€ X* are conjugate if there are z,y € X* with 
p = xy and q = yx. A word p E€ X* is primitive if there is no q € X* with 
pe qq’. 


Proposition 5.3. For every unbounded regular language L C X*, there are 
x,U,v,y E X* such that |u| = |v|, the word uv is primitive, and a{u,v}*y C L. 


Proof. Since L is unbounded and regular, Lemma 5.2 yields words z, y, p,q € &* 
with |p| = |q|, p Æ q, and x{p,q}*y C L. Then the words r = pq and s = pp 
are not conjugate, because every conjugate of a square is a square. Moreover, 
|r| = |s|, and a{r,s}*y C a{p,q}*ty C L. Let n = |r|, u = rs}, and v = 3”. 
Towards a contradiction, suppose uv = rs*”~! is not primitive. Then there is a 
word w € X* with rs?"~! € wwt. Depending on whether |w| > n or |w| < n, 
we have n < |w"| < n? either for t = 1 or for t = n. It follows that r is a prefix 
of wt and that w? is a suffix of s”, implying that r is a factor of s”. Since r and 
s are not conjugate, this is impossible. 


We are now ready to describe how to embed a finite partial order into (L, E). 
Observe that every finite partial order with m elements embeds into ({0, 1}, <) 
where < is the componentwise order. Hence, it suffices to embed this partial order 
into ({u,v}*, C). We do this as follows. Let n = |uv| + m + 3 and define, for a 
tuple t = (t1,... tm) € {0,1}, 


Ym(ti,...;tm) = v"! (uv)” -vt (uv). 


Then, clearly, s < t implies ym(s) E Ym(t). The converse requires a careful 
analysis of how prefixes of Ym(s) can embed into prefixes of Ym (t). For x,y € X*, 
we write x —> y if x, but no word za with a € X is a subword of y. In other 
words, x > y if x is a prefiz-mazimal subword of y. This gives us a criterion for 
non-embeddability: If x has a strict prefix zo with zo > y, then certainly z Z y. 
In this case, the word x; with x = xg, is called residue. We show the following: 


Lemma 5.4. Let u,v E€ &* be words such that |u| = |v| and uv is primitive. 
Then, for all £,n E€ N with n > luv] +£+2, we have 


(i) (uv)” => v(uv)”, 
(ii) (uv)*v(uv)"- 1 —> (uv)", and 


(iti) (uv) t vfuv) E? > v(uv)”. 


For this lemma, it is crucial to observe that for a primitive word w and n > |w|+1, 
any embedding of w”~! into w” must either hit the left-most or the right-most 
position in w”. To conclude that s £ t implies y,,(s) Z Ym(t), we argue about 
prefixes of the form p; = v“! (uv)” --- vi (uv)” and q; = v*! (uv)” -- -vti (uv)” for 
i € [l,m]. If s £ t, let i € [1,m] be the index with s; = 1, t; = 0 and sj < tj 
for all j € [1,4 — 1]. Then clearly p;-1 E qi-1. In fact, Lemma 5.4 (i) implies 
that even pi-1ı > qi-1, since z —> y and 2’ > y' imply zy © x'y'. Then, by 
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Lemma 5.4 (ii), pi = pi_-1v(uv)"~+(uv) has a residue of uv in qi = gi-1(uv)”. 
To conclude ym(s) Z Ym(t), it remains to be shown that this can never be 
rectified when considering prefixes p; and q; for j =i+1,...,m. To this end, 
Lemma 5.4 (ii) and (iii) tell us that if p; has a residue of (wv) in q;, then the 
word pj+1 has a residue of (wv)* or even (uv)’*? in gj41. 


6 The Xı-Theory with Constants 


In this section, we study for which languages L the structure (L, E, (w) wer) has 
a decidable 5\-theory. From Theorem 3.4, we know that this is the case whenever 
L is bounded. However, there are very simple languages for which decidability 
is lost: If |X| > 2, then the X1-theory of (£*,C,(w)wes) is undecidable [6]. 
Here, we present a sufficient condition for the X1-theory of (L,C,(w)wes~) to 
be decidable. 

Let L C &*. We say that a letter a € X is frequent in L if there is a real 
constant ô > 0 so that |w|q > 6-|w| for all but finitely many w € L. Our 
sufficient condition requires that all letters be frequent in L. If L is regular, this 
is equivalent to saying that in every non-degenerate automaton for L, every cycle 
contains every letter. An example of such a language is {ab, ba}*. 

We shall prove that this condition implies decidability of the %\-theory of 
(L,C, (w)wes~). If L is bounded, decidability already follows from Theorem 3.4. 
In case L is unbounded, we employ our results from Sect.5 to show another 
embeddability result. For w € X*, let wt = {u € X* | w E u} denote the 
upward closure of {w} in (X*, E). We will show that if L is unbounded, then for 
each w € X*, the decomposition of L = (L \ wt) U (L N uf) yields two simple 
parts: The set L \ wf is finite and the set LM wT embeds every finite partial 
order. This simplifies the conditions under which a »)-sentence is satisfied. 


Lemma 6.1. Let LC X* be an unbounded regular language where every letter 
is frequent. For every w E€ X*, the set L\ wf is finite and LN wT is unbounded. 


Proof. In a non-degenerate automaton A for L, every cycle must contain every 
letter. Therefore, if A has n states and v € L has |v| > n-|w|, then a computation 
for v must contain some state more than |w| times, which implies w E v and 
hence v ¢ L\ wf. Therefore, L\w is finite. This implies that LNwT is unbounded: 
Otherwise L = (LN wt) U (L \ wf) would be bounded as well. 


Theorem 6.2. Let L C &* be an unbounded regular language where every letter 
is frequent. Then the Xı-theory of (L,C, (w)wer) is decidable. 


Proof. For decidability, we may assume that we are given a formula y that is a 
disjunction of conjunctions of literals of the following forms (where x and y are 
arbitrary variables and w an arbitrary word from L): 


(i) «lw (iii) wl ax (v) «Ly 


(ii) «Zw (iv) wZa (vi) Zy 
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Step 1. We first show that literals of types (i) and (iv) can be eliminated. To 
this end, we observe that for each w € L, both of the sets {u € L | u E w}, and 
{u € L | w Zu} are finite (in the latter case, this follows from Lemma 6.1). Thus, 
every conjunction that contains a literal x E w or w EZ zx, constrains x to finitely 
many values. Therefore, we can replace this conjunction with a disjunction of 
conjunctions that result from replacing x by one of these values. (Here, we might 
obtain literals u E v or u Z v, but those can be replaced by other equivalent 
formulas). We repeat this until there are no more literals of the form (i) and (iv). 
Step 2. We now eliminate literals of the form (ii). Note that the language {u € 
L | u Z w} is upward closed in (L, E). Since L is regular, we can compute the 
finite set of minimal elements of this set. Thus, x Z w is equivalent to a finite 
disjunction of literals of the form w’ E x. The resulting formula w is a disjunction 
of conjunction of literals of the form (iii), (v), (vi). 

Step 3. To check satisfiability, we may assume that wW is a conjunction of literals 
of the form (iii), (v), (vi). We can write 7 as y1 A772, where 7 is a conjunction of 
literals of the form (iii) and 72 is a conjunction of literals of the form (v) and (vi). 
We claim that ~ is satisfiable if and only if y2 is satisfiable in some partial order. 
The “only if” direction is trivial, so suppose ‘2 is satisfied by some finite partial 
order (P, <) and let w € X* be a concatenation of all words occurring in y1. By 
Lemma 6.1, LN wf is unbounded, which implies that (P,<) can be embedded 
into (LM wf, E) (see Sect.5). This means, there exists a satisfying assignment 
where even w C g for every variable x. In particular, it satisfies Y = y1 A 72. 


Open Questions 


We did not consider complexity issues. In particular, from [13], we know that 
the FO?-theory of the structure (X*, C, (w)wem~) can be decided in elementary 
time. We are currently working out the details for the extension of this result 
to the C+MOD?-theory of the structure (L,C, (w)wez) for regular languages L. 
We reduced the FO+MOD-theory of the full structure (for L context-free and 
bounded) to the FO+MOD-theory of (N,+), which is known to be decidable in 
elementary time [5]. Our reduction increases the formula exponentially due to 
the need of handling statements of the form “there is an even number of pairs 
(x,y) € N? such that ...” It should be checked whether the proof from [5] can be 
extended to handle such statements in FO+MOD for (N, +) directly. 

Finally, our results raise an interesting question: For which regular languages 
L does the structure (L, E, (w)wez) have a decidable X1-theory? If every letter 
is frequent in L, we have decidability. For example, this applies to L = {ab, ba}* 
or L = {ab, baa}* U bb{abb}*. If L = X* for |X| > 2, we have undecidability [6]. 
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Abstract. We consider the probabilistic untyped lambda-calculus and 
prove a stronger form of the adequacy property for probabilistic coher- 
ence spaces (PCoh), showing how the denotation of a term statistically 
distributes over the denotations of its head-normal forms. 

We use this result to state a precise correspondence between PCoh and 
a notion of probabilistic Nakajima trees, recently introduced by Leventis 
in order to prove a separation theorem. As a consequence, we get full 
abstraction for PCoh. This latter result has already been mentioned as a 
corollary of Clairambault and Paquet’s full abstraction theorem for prob- 
abilistic concurrent games. Our approach allows to prove the property 
directly, without the need of a third model. 


Keywords: Lambda-Calculus - Denotational semantics + 
Probabilistic functional programming 


1 Introduction 


Full abstraction for the maximal consistent sensible -theory H* [1] is a crucial 
property for a model of the untyped A-calculus, stating that two terms M, N have 
the same denotation in the model iff for every context C|] the head-reduction 
sequences of C[M] and C[N] either both terminate or both diverge. The first 
such result was obtained for Scott’s model D® by Hyland [10] and Wadsworth 
[15]. More recently, Manzonetto developed a general technique for achieving 
full abstraction for a large class of models, decomposing it into the adequacy 
property and a notion of well-stratification [13]. An adequacy property states 
that the semantics of a A-term is different from the bottom element iff its head- 
reduction terminates. Well-stratification is more technical, basically it means 
that the semantics of a \-term can be stratified into different levels, expressing in 
the model the nesting of the head-normal forms defining the interaction between 
a A-term and a context. 

Our paper reconsiders these results in the setting of the probabilistic untyped 
A-calculus A*. The language extends the untyped A-calculus with a barycentric 
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sum constructor allowing for terms like M +p N, with p € [0,1], reducing to 
M with probability p and to N with probability 1 — p. In recent years there 
has been a renewed interest in At as a core language for (untyped) discrete 
probabilistic functional programming. In particular, Leventis proves in [12] a 
separation property for A* based on a probabilistic version of Nakajima trees, 
the latter describing a nesting of sub-probability distributions of infinitary 7-long 
head-normal forms (see Sect. 5 and the examples in Fig. 2). 

We consider the semantics of A+ given by the probabilistic coherence space 
D defined by Danos and Ehrhard in [5] and proved to be adequate in [6]. We 
show that the denotation |M] in D of a At term M enjoys a kind of stratifica- 
tion property (Theorem 1, called here strong adequacy) and we use this property 
to prove that [M] is a faithful description of the probabilistic Nakajima tree 
of M (Corollary 1). As a consequence of this result and the previously men- 
tioned separation theorem, we achieve full abstraction for D (Theorem 2), thus 
reconstructing in this setting Manzonetto’s reasoning for classical A-calculus. 

Very recently, and independently from this work, Clairambault and Paquet 
also prove full abstraction for D [2]. Their proof uses a game semantics model 
representing in an abstract way the probabilistic Nakajima trees and a faithful 
functor from this game semantics to the weighted relational semantics of [11]. 
The latter provides a model having the same equational theory over At as the 
probabilistic coherence space D, so full abstraction for D follows immediately. By 
the way, let us emphasise that all results in our paper can be transferred as they 
are to the weighted relational semantics of [11]. We decided however to consider 
the probabilistic coherence space model in order to highlight the correspondence 
between the definition of D (Eq. (11)) and the definition of the logical relation 
(Eq. (13)) which is the key ingredient in the proof of our notion of stratification. 

Let us give some more intuitions on this latter notion, which has an interest in 
its own. The model D is defined as the limit of a chain of probabilistic coherence 
spaces (Dy)gexn approximating more and more the denotation of At terms. The 
adequacy property proven in [6] states that the probability of a term M to 
converge to a head-normal form is given by the mass of the semantics |M] 
restricted to the subspace Də [6, Theorem 22]. The natural question is then 
to understand which kind of operational meaning carries the rest of the mass 
of [M], i.e. the points of order greater than 2. Our Theorem 1 answers this 
question, showing that the semantics |M] distributes over the semantics of its 
head-normal forms according to the operational semantics of At. By iterating 
this reasoning one gets a stratification of |M] into a nesting of (n-expanded) 
head-normal forms which is the key ingredient linking [M] and the probabilistic 
Nakajima trees (Corollary 1). 

The fact that our proof of full abstraction is based on the notion of strong 
adequacy makes very plausible that the proof can be adapted to a more general 
class of models than only probabilistic coherence spaces and weighted seman- 
tics. In particular, we would like to stress that we did not use the property of 
analyticity of term denotations, which is instead at the core of the proof of full 
abstraction for probabilistic PCF-like languages [7,8]. 
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Notational convention. We write N for the set of natural numbers and R>o for 
the set of non-negative real numbers. Given any set X we write M;(X) for the 
set of finite multisets of X: an element m € M;(X) is a function X — N 
such that the support of m Supp (m) = {x € X | m(x) > 0} is finite. We write 
[£1,..., £n] for the multiset m such that m(x) = number of indices is.t. £ = xj, 
so |] is the empty multiset and W the disjoint union. The Kronecker delta over 
a set X is defined for x,y E€ X by: ôx y = 1 if x = y, and ôr = 0 otherwise. 


2 The Probabilistic Language At 


We recall the call-by-name untyped probabilistic \-calculus, following [6]. The 
set A* of terms over a set V of variables is defined inductively by: 


M,N € At:=a2|Ac.M|MN|M4,N, (1) 


where x ranges over V and p ranges over [0, 1]. Note that we consider probabilities 
over the whole interval [0,1] but our proofs still hold if we restrict them to ratio- 
nal numbers. We use the A-calculus terminology and notations as in [1]: terms are 
considered modulo a-equivalence, i.e. variable renaming; we write FV(M) for the 
set of free variables of a term M. For any finite list of variables = z1, ..., £n we 
write AF for the set of terms M € A* such that FV(M) C {x1,..., £n}. Given 
two terms M,N € At and x € V we write M{N/z} for the term obtained by 
substituting N for the free occurrences of x in M, subject to the usual proviso 
of renaming bound variables of M to avoid capture of free variables in N. 


Example 1. Some terms useful in giving examples: the duplicator 6 = Ax.zzx, 
the Turing fixed point combinator © = (Azy.y(xzy))(Azy.y(xry)) and Q = 6d. 


A context C| ] is a term containing a single occurrence of a distinguished 
variable denoted [ | and called hole. A head-context is of the form E| | = 
Avy... %n.[]M1... Mp, for n, k > 0 and M; € At. Given M € At, we write C[M] 
for the term obtained by replacing M for the hole in C[ | possibly with capture 
of free variables. The operational semantics is given by a Markov chain over 
A*, mixing together the standard head-reduction of untyped A-calculus with the 
probabilistic choice +p. Precisely, this system is given by the transition matrix 
Red in Eq. (2). It is well known that any A*-term M can be uniquely decomposed 
into E[R] for E[] a head-context and R either a G-redex, or a +,-redex (for some 
p € [0,1]) or a variable in V. This gives the following cases: 


1 if R = (Ax.M')M” and N = E[M'{M"/c}] 
if R= M' +p M", M' 4M" and N = E[M’] 

1—p ifR=M’+,M",M' + M" and N = £[M"| 
if R= M' +, M' and N = E[M’] 

1 if REV and N = E[R] 


0 otherwise 
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This matrix is stochastic, i.e. for any term M, } y Redm,n = 1. A head-normal 
form is a term of the form Ely], with y € V called its head-variable. We write 
HNF for the set of all head-normal forms. Following [5,6], we consider the head- 
normal forms as absorbing states of the process. Hence the n-th power Red” of 
the matrix Red describes the process of performing exactly n steps: Redjy ny is 
the probability that after n process steps M will reach state N. 


Example 2. Let L = (x +p y), we have Redsr,rx = 1, and Red§z sL = P, 
Redz yL = 1 — p for all n > 2. In fact both xL and yL are head-normal forms, 
so absorbing states. The term Q -reduces to itself, so Red g = 1 for any n, 
giving an example of absorbing state which is not a head-normal form. 

The Turing fixed point combinator needs two (-steps to unfold its argument, 
so, for any term M, Red M,M(@M) = 1. In the case M is a probabilistic function 


like M = Af.(f +p y), we get RedSiem = = p” and Rediu, = 1 — p”, for 


any n. In the case M = Af.(yf +p y), we get: Redai, i n(@M) = P” and 
Red or x (y) = (1—p)p”, where y"(...) denotes the n-fold application y(. . . y(-..)). 


Notice that for h € HNF and M € A”, the sequence (Rediyn) , en 18 Mono- 


tone increasing and bounded by 1, so it converges. We define its limit by: 


VM € At,Wh € HNF, Red§y , ::= sup (Redis a) € [0, 1]. (3) 
i neN 


This quantity gives the total probability of M to reduce to the head-normal form 
h in any number (possibly infinitely many) of finite reduction sequences. 


Example 3. Recall the terms in Example 2. We have Redt s, = p and 
Redst „z = = 1 — p. For any h € HNF and n € N we have Redg;, = 0 so 
Redgy, = 0. The quantity Red@(y/.(¢+,y)),y 18 the first example of limit, being 
equal to 1 whereas RedG, tw. S 1 for all n EN. Operationally this means 
that the term O(Af.(f +p y)) ‘reduces to y with probability 1 but the length 
of these reductions is not bounded. Finally, RedGas(y¢+,y)),yx(y) = (1 PP”, 
this means that O(\f.(yf +p y)) converges with probability 1 but it can reach 
infinitely many different head-normal forms. 


Given M,N € A‘, we say that M is contextually equivalent to N if, and 
only if, VOT]; X pennr Rediu], = 2 rennr Redõtn), 

An important property in the following is extensionality, meaning invari- 
ance under 7-equivalence. The 7-equivalence is the smallest congruence such 
that, for any M € At and z ¢ FV(M) we have M =, Axv.Mz. Notice that the 
contextual equivalence is extensional (see [1] for the classical A-calculus). 


3 Probabilistic Coherence Spaces 


Girard introduced probabilistic coherence spaces (PCS) as a “quantitative refine- 
ment” of coherence spaces [9]. Danos and Ehrhard considered then the category 
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Pcoh of linear and Scott-continuous functions between PCS as a model of linear 
logic and the cartesian closed category Pcoh; of entire functions between PCS as 
the Kleisli category associated with the comonad of Pcoh modelling the expo- 
nential modality [5]. They proved also that Pcoh; provides an adequate model 
of probabilistic PCF and the reflexive object D which is our object of study. 

The two categories Pcoh and Pcoh; have been then studied in various 
papers. In particular, Pcoh; is proved to be fully abstract for the call-by-name 
probabilistic PCF [7]. This result has been also extended to richer languages, 
e.g. call-by-push-value probabilistic PCF [8]. The untyped model D is proven 
adequate for A* [6]. This paper is the continuation of the latter result, showing 
full abstraction for D as a consequence of a stronger form of adequacy. 

We briefly recall here the cartesian closed category Pcoh; and the reflexive 
object D. Because of space we omit to consider the linear logic model Pcoh, 
from which Pcoh, is derived. We refer the reader to [5,6] for more details. 


Probabilistic coherence spaces and entire functions. A probabilistic coherence 
space, or PCS for short, is a pair ¥ = (|¥|,P(4)) where || is a countable 
set called the web of ¥ and P(X) is a subset of the semi-module (Rso)!*! such 
that the following three conditions hold: (i) closedness: P(¥)** = P(X), where, 
given a set P C (Rso)!*!, the dual of P is defined as P+ ::= {y € (R>o)!*! | 
Vz € P Yiaejx| ZaYa < 1}; (ii) boundedness: Va € |X|, du > 0, Va € P(X), 
La < p; (iii) completeness: Va € |¥|, 3x € P(X), £a > 0. 

Given x,y E€ P(X), we write x < y for the order defined pointwise, i.e. for 
every a € |X|, £a < Ya. The closedness condition is equivalent to require that 
P(X) is convex and Scott-closed, as stated below. 


Proposition 1 (e.g. [4]). Given an index set I and a subset P C (Ro)! which 
is bounded and complete, we have P = P++ iff the following two conditions hold: 
(i) P is conver, i.e. for every x,y E€ P and A € [0,1], Ax + (1 — à)y € P; (ii) P 
is Scott-closed, i.e. for every x < y € P, x € P and for every increasing chain 
{zi }ien C P, sup; z; € P. 


A data-type is denoted by a PCS ¥ and its data by vectors in P(A’): convexity 
allows for probabilistic superposition and Scott-closedness for recursion. 


Example 4. A simple example of PCS is U = (\U|,P(Y)) with |U/| a singleton set 
and P(U) = [0,1]. Notice P(/)* = P(U). This PCS gives the flat interpretation 
of the unit type in a typed language. The boolean type is denoted by the two 
dimensional PCS B::= ({t, f}, {(p+, pt) | pe +p < 1}). Notice that P(B) can 
be seen as the set of the probabilistic sub-distributions of the boolean values. 
As soon as one consider functional types, the intuitive notion of (discrete) 
sub-probabilistic distribution is lost. In particular, the reflexive object D defined 
below is an example of an infinite dimensional PCS where scalars arbitrarily big 
may appear in P(D). One can think of PCS’s as a generalisation of the notion 
of discrete sub-probabilistic distributions allowing a cartesian closed category. 
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An entire function from X to y is a matrix f € R>oMdl4)x!91 such that 
for any x € P(X), the image f(x) under f belongs to P(Y), where f(z) is 


= ( 5 Jat” where 2” ::= II am) (4) 
bely] 


mEM (|X|) a€Supp(m) 


Notice that the condition f(x) € P(Y) requires that the possibly infinite sum in 
the previous equation must converge. Recently, Crubillé proves that the entire 
maps can be characterised independently from their matrix representation as 
the absolutely monotonic and Scott-continuous maps between PCS’s, see [3]. 


The cartesian closed category. The Kleisli category Pcoh; has PCS’s as objects 
and entire maps as morphisms. Given f € Pcohi(4,¥) and g € Peoh: (Y, Z), 
the composition go f is the usual functional composition, whose matrix can 
be explicitly given by, for m € M,(|4|) ,¢ € |Z|: 


(go f)m c= 5 Jp e fP where f(lbt-sbn)) ..— y [] fine: (5) 


pEM<|y|) (Mi, Mn) t=1 


The boundedness condition over Z and the completeness condition over ¥ ensure 
that the possibly infinite sum over p € M,(|Y|) in Eq. (5) converges. The iden- 
tity is the matrix i. = 6faj,a, where ô is the Kronecker delta. 

The cartesian product of any countable family (%;)ier of PCS’s is: 


[ier X;| == Usertt} x [%il, 
Plier Xi) = {2 € (Ryo)! Ier% i(z) € P(X;)}, 


where m(x) is the vector in (R>o)!®%! denoting the i-th component of x, i.e. 
Til£)a = Xia): This means that P(Ilier Xi) can be seen as the set-theoretical 
product |];<;P(4i), by mapping x € P(]],<;¥i) to the sequence (m;(2))ier- 
The j-th projection pr’ € Peohy([],<; Xi, Vj) is defined by pr}, p = Ôm, ((j,))- If 
all components of a product are equal to a PCS X we can use ihe aon 
notation ¥/. Binary products can be written as X x V. In the following, we will 
often denote the finite multisets in Mg(|Tie õi |) as I-families of finite multisets 
almost everywhere empty, using the set-theoretical isomorphism:! 


(TL 


icI 
For example, the multi-set [(0,a), (0, a’), (1,b)] € Me(|¥ x V|) will be denoted 
as the pair ({a,a’],[b]), or the multiset [(2, a), (4, a’), (4, a € Mg(|[lnen *n|) 
as the almost everywhere empty sequence ( [l1 (al, lasa J J, ---)- 


(6) 


~ {m e [Mæ | Supp (m) finite}. (7) 


iel 


1 In fact, this isomorphism corresponds, for J finite, to the fundamental exponential 
isomorphism !(A & B) ~ !A @!B of linear logic. 
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The object of morphisms from ¥ to V is Pcoh,(¥, YV) itself, i.e.: 
|X > V| n= M(|¥|) x |V|, P(X > V) :=Pcoh,(¥, V). (8) 


The proof that P(¥ = V) so defined enjoys the closedness, completeness and 
boundedness conditions of the definition of a PCS is not trivial and it is argued 
by the fact that Pcoh;, is the Kleisli category associated with the exponential 
comonad of the linear logic model Pcoh mentioned in the introduction. 

The evaluation Ev®” € Pcoh;((¥ = y) x X,Y) and the curryfication 
Cur®2Y (v) € Peoh;(Z, ¥ > V) of a morphism v € Peoh;(4 x Z, YV) are: 


XY n XZ, i 
Evim pja == Öm, [(p,a)]> Cur Y(v)m, (p,a) = U(p,m),a- (9) 


The reflexive object D. We set X C Y whenever |¥| C |V| and P(X) = 


{v||v| s-t. v € P(Y)}, where v|)y) is the vector in Re obtained by restrict- 


ing v € Re! to the indexes in |¥| C ||. This defines a complete order over 

PCS’s. The model D of A+ is then given by the least fix-point of the Scott- 

continuous functor X + XN >U (where U is the one-dimensional PCS defined 

in Example 4). We do not detail here its definition, but we give explicitly the 

chain Do = (0,0), De+ı = DY => U whose (co)limit is the least fix-point D of 

X ++ XN > U by the Knaster-Tarski theorem. We refer to [5, Sect. 2] for details. 
The webs of these spaces are given by: 


[Dol =, [Desa] s=Me(|Del)™, P= U [Pel (10) 
LEN 


where Mg(|De|) denotes the set of infinite sequences of multisets of |D,| that 
are almost everywhere empty (notice we are using the isomorphism mentioned in 
Eq. (7)). The set |D,| is the singleton containing the infinite sequence ((],[], |]... ) 
of empty multisets, which we denote by x. Given a multiset m € Mg(|De|) and 
a sequence d E€ M,(|De41|), we denote by m :: d the element of |De41| having at 
first position m and then all the multisets of d shifted by one position. Notice 
that any element of |Dz;1| can be written as mı ::... Mn :: x for an n sufficiently 
large and m1,...,™Mn E€ Mg(|Dy|). In particular, [] ::* = *.? 

The sets of vectors P(D;) and P(D) completing the definition of a PCS are: 


P(Do) :=0 
Yn EN,Vui,..-,Un E P(De) 
P(De+1) n= CVE (Ryo) !Per! s.t. 5 E E T A . su <1 (11) 
"Mioi 


P(D) = {v € (R>o)!P! s.t. VL € N, vip] E€ P(D,)} 


The above definition of P(Dg+1) is actually equivalent to the standard one 
inferred from the definition of the countable product DN, which would require 


? The elements of |D| can be seen as intersection types generated from the constant 
x, the :: operation being the arrow and multisets non-idempotent intersections. 
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, 


r _ Jl m, = |d] and Yy E€ I \ z, m, = ||, 
[z]m (od n 
i 0 otherwise 


[At.M]inmisa = [ME m) 
[IMN]na= >, > [M] ing m:a NJ”, 
meEM|D|) (m1,mz2) s.t. 
VLEI, Mr =M] r BM2 y 


[M +p N]m,a = PIM] ma + (1 — p)IN] m,a 


Fig. 1. Explicit definition of the denotation of a term in At as a matrix in P (D7 => D). 
Recall Eq. (5) for the notation ([N]7)™2"". 


to apply v to a countable family (u;)ien of vectors in P(Dz). The two definitions 
are equivalent because of the continuity of the scalar multiplication and the sum. 

It happens that any solution of ¥ = XN > U gives also a solution (although 
not minimal) to ¥ = ¥ => X and hence a reflexive object of Pcoh). The 
isomorphism pair À € Pcoh\(D > D,D) and app € Pcoh,(D,D => D) is given 
by, for any p E€ M;¢(|D > D|), m,q E€ M¢(|D]), and d € |D], 


Ap,mid nS Op [Gms A8PPy(m,d) nS O oleae (12) 
It is easy to check that app o A = id?” and A o app = id”, so (D, A, app) yields 
an extensional model of untyped A-calculus, i.e. |M] = |N] whenever M =, N. 


Interpretation of the Terms of A+. Given aterm M and a list I’ of pairwise differ- 
ent variables containing FV(M), the interpretation of M is a morphism [M]? € 


E 

Pcoh,(D", D), i.e. a matrix in RMP pel RAKIPI" XIDI, The definition of 
[M]" is the standard one determined by the cartesian closed structure of Pcoh, 
and the reflexive object (D, A, app): [2] is the z-th projection of the prod- 
uct DT, [Av.M]" = Ao Cur ([M]*") and [MN]" = Evo (app o [M], [N]*), 
where ( , ) is the cartesian product of two morphisms. Figure 1 makes explicit 
the coefficients of the matrix [M]/ by structural induction on M. The only non- 
standard operation is the barycentric sum [M +, N] which is still a morphism 
of Pcoh; by the convexity of P(D" = D) (Proposition 1). 


Proposition 2 (Soundness, [5,6]). For every term M € At and sequence 
T D FV(M): [M]” = X yea Redm,n [N]. 


4 Strong Adequacy 


In this section we state and prove Theorem 1, enhancing the Pcoh; adequacy 
property given in [6]. This latter explains the computational meaning of the mass 
of [M] restricted to Dz C D, while our generalisation considers the whole [M], 
showing that it encodes the way the operational semantics dispatches the mass 
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into the denotation of the head-normal forms. As in [6], the proof of Theorem 1 
adapts a method introduced by Pitts [14], consisting in building a recursively 
specified relation of formal approximation < (Proposition 3) which satisfies the 
same recursive equation as D. However, our generalisation requires a subtler 
definition of < with respect to [6]. In particular, we must consider open terms 
in order to prove Lemma 7. 


The approximation relation. Let us introduce some convenient notation, extend- 
ing the definition of -abstraction and application to general morphisms. 


Definition 1. Given v € P(D®T => D), let A(v) be the vector Xo Cur(v) € 
P(D" = D). Given v,u € P(D! = D) let v@u be the vector Ev o (app o v, u) € 
Pip? => D). Finally, given a finite sequence u1,..., Un E P(D? => D), forne 
N, we denote by v@ u...un the vector (v@ u1) @... un. 


Lemma 1. The map v +> A(v) is linear, i.e. for any vectors v,v’ and scalars 
p,p' € [0,1] such that p+ p' < 1, we have A(pv + p'v') = pA(v) + p'A(v’), and 
Scott-continuous, i.e. for any countable increasing chain (Un)nen, A(sup,,(Un)) = 
sup,,(A(un)). The map (v, u1,..., Un) = V@uU1...Un is Scott-continuous on all 
of its arguments but linear only on its first argument v. 


Proof. Scott-continuity is because the scalar multiplication and the sum are 
Scott-continuous. The linearity is because the matrices app, À are associated with 
linear maps (namely, they have non-zero coefficients only on singleton multisets, 
see (12)) as well as the left-most component of Ev, see (9). 


For any I’ C A there exists the projection pr : P(D)* = P(D)’. Then, 
given a matrix v € P(Dr => D) we denote by vt+e P(D4 => D) the matrix 
corresponding to the pre-composition of the morphism associated with v with 
pr. This can be explicitly defined by, for m € M,(|D])*, d € |D], A, «= 
Vime)nerd IË Vy E€ A\ T, my = |], and (vt?) ma = 0 otherwise. 

We define an operation ¢ acting on the relations R C Up (P(D’ = D) x Af). 
Each component ¢/'(R) C (P(D! = D)) x AF is given by: 


(v, M) € $" (R) iff YA 2 T,Yn € N, Yui, ..., Un E P(D4 > D) 
VNi,..-,Nn € Ah, s.t. (u, Ni) € Rforalli<n, (13) 
vtl @u... un < AcHNF 4 Red% N, N, alh]*. 


The above definition is similar to Eq. (11), giving Dei, from Dy. In the following 
we look for a fixed-point of ¢ (Proposition 3). Its quest is not simple because ¢ is 
not monotone. We derive then from ¢ a monotone operator ~ on a larger space, 
and we compute its fixed-point by using Tarski’s Theorem (Lemma 3). 

Given (R+, R7) € P (Ur (P(D" = D) x Af))”, we define Yy(R+, R7) = 
(¢(R-), @(R*)). Given two such pairs (R, RI), (R4, R3), we define (Rf, RI) 
C (R, fy it RÌ CRY and RI D R3. 
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Lemma 2. The relation E is an order relation giving a complete lattice on 
P (Up (P(DY = D) x Af)’. 


Thanks to the previous lemma, we set (<Jt,<—) as the glb of the set {(R*, R7) | 
w(Rt,R-) E (Rt, R-)} of the pre-fixed points of a. 


Lemma 3. 7(<*,<~) = (<7, <7), so <* = (<7) and <7 = d(<1°). 


Proof. One can check that ~ is monotone increasing wrt C, so the result follows 
from Tarski’s Theorem on fixed points. 


Lemma 4. For any R C Up (P(D! =D) x Af) and M € Af, the set {v € 
P(D? = D) | (v, M) € 7 (R)} contains 0, is downward closed and chain closed. 


Proof. Consequence of the fact that the application v @u;...u, and the lifting 
vt? are Scott-continuous (Lemma 1). Also, vf is linear as well as v @ u1... Un 
on its left argument v (always Lemma 1), so 0[4 @ u1... un = 0. 


Proposition 3. We have <t = <7. From now on we denote it simply by <. 
We note <7 its component on (P(DF => D)) x AG. 


Proof. First (<~,<I*) is a (pre-)fixed point of y so (4, <7) E (<7, <Ħ), ie. 
<it C <-. To prove the converse, we reason by induction on |D|. For v € 
P(D" = D) and £ EN, we note vy its restriction to |D" = Dy|, i.e.: (Yje)m.a = 
Um,a if d € |De], and (vje)m,a = 0 otherwise. Notice that vje is a morphism 
P(D" = D), since vje < v E€ P(D! = D). We prove by induction on £ that: 


Vu € P(D! > D) ,YM € Af, (v, M) € <7 implies (vje, M) € <+. 


For £ = 0 we have vo = 0 so by Lemma 4 (v9, M) € <* = (<7). At level 
L +1 we want to prove (v41, M) € at = (<7). Let A D T, u1,...,Un € 
P(D4 = D), Ni,- Nn € Ax such that for all i < n, (ui, Ni) € <7. By induc- 
tion hypothesis we have ((u;)je,.N;) E€ <* for all i < n. Besides by hypothesis 
(v, M) € <7 = (<7) and we have v4; < v so Lemmad gives (vje+1;, M) € 
(<+). Hence v41? @(ui)je---(Un)je < JO heHnNFa Redijy,...N, alh] We 
conclude by observing that vje4114 @ (u1)je - - - (un) je = Vez T 4 @ur..- Un. 

Now if (v, M) € <7 then for all £ € N, (ve, M) E€ <*, but we have v = 
SUPzen Vje SO Lemma 4 gives (v, M) € <I. 


The key lemma. Lemma9 is the so-called key-lemma for the relation <. The 
reasoning is standard, except for the proof of Lemma 8 allowing strong adequacy. 


Lemma 5. For M € A} p, N € Af, (v, (Ax.M)N)E <% iff (v, M{N/z}) €<". 


Proof. Observe that for all n € N, Ny,...,N, € At and h € HNF we have 
Red(\2.M)NNj...Na,h = Redat{N/x}Ny...Nn,h* 


Lemma 6. Let (v, M) and (r, L) in <7, then (pv + (1 — p)r, M +p L) € <”. 
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Proof. Simply observe that for all h € HNF and Ni,...,N, E€ At we have 
Red (ir4,L)Ni...Nnsh = pRediyn,...v,,h + (1 — p)Redfy, Nn h 


Lemma 7. For all x € T, (pr? x) € <”. 


Proof. Given any A D T, n € N and (u1,.N1),..., (Un, Nn) € <^, we have: 


Yo Red, n, hA] = [eNi Nn] = pr? @ [M4 -o [Nn]* 
hEHNF A 

Besides for all i < n, as (wu, N;) € <4 we have u; <  ACHNF 4 Redyy, ,[h]4 < 
[Ni]*. The latter inequality is because Proposition 2 implies that for all k € N, 
 ncHNE 4 Red, n [A] < [Ni]. The application @ being increasing in both its 
arguments we have pr? {4 @ u1... un < prô @ [N1]4 ... [Nn]. 
Lemma 8. Let (v, M) € (P(D’ => D)) x A}, we have (v, M) € <" iff for all 
(r, L) € <^ with ADT, (ff @r, ML) € <4. 


Proof. If (v, M) € <® = "(<) and (r, L) € <4 then using the definition of 
it is easy to check that (v? @r, ML) € <4. Conversely if for all (r, L) € <4 
we have (v}4 @r, ML) € <4 and we want to prove that (v, M) € ¢"(<) then 
the conditions of Eq. (13) trivially holds whenever n > 1, so we need to consider 
only the case for n = 0. 

Suppose that for all (r, L) € <4, (vtl @r, ML) € <ô, let us prove that 
v < encHNF; Red§7,,[A]’. Let x be a fresh variable, according to Lemma 7 we 
have (prèt, x) € <4®T so vf®! @przt < DO hEHNF,.r Reda n [A]®7. Then: 


v = A(t?" @ prë?) extensionality of D 
<A( 5 Redenlhl]”” ) monotonicity A(), Lemma 1 
heHNF yr 
= 5 Red¥jx,nA([h]*” ) linearity and contin.A(), Lemma 1 
hEHNF 2,7 
= SO Redis nAz] def. of A(). 
hEHNF yr 


One can check that for h € HNF, r, Redsan = onocunep Rediz.n,Rediee,n 
(recall that x is not free in M). If ho is a head-normal form yP; ...Pm then 
Redi s n Æ 0 only if h = yP; ... Pmax with z ¢ FV (yP; ... Pm) (and Redo. n = 
1). If ho = àxo.h' then Redos n #0 only if h = h'{x/xo} (and Redjy,., = 1). 
In the first case we have [Ar.h]? = [Azx.(hox)]’ = [ho]. In the second case 
we have Ax.h = ho modulo a-equivalence and [Azv.h]/ = [ho]". Therefore: 


v< ho CHNF p Redi, ho [ho]. 


Lemma 9 (Key Lemma). For all M € Af with I = {y1,.-., Yn}, for all AD 
T, for all u,..., un in P(D4 => D) and Nı,...,Nn in Ak with (ui, Ni) € <f, 


[M]" o (ui, ..., Un) ae M{Ni/y1,---;Nn/Yn} 
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Proof. The proof is by induction on M. The abstraction uses Lemmas 5 and 8, 
the application uses Lemma 8 and the barycentric sum Lemma 6. 


Theorem 1 (Strong adequacy). For all M € AF we have: 


[M] = X Red3,,[h]’. 
hEHNFr 


Proof. The invariance of the interpretation by reduction (Proposition 2) gives 
that for all n € N, [M]? = inet Redi, NIN] > Sneunr, Red” [A]”. When 
n — oo we get [M]? > Dpcunr, Rediz,[h]’- 

Conversely using Lemma9 with A = I and (u;, Ni) = (T3, Yi), which is in 
< thanks to Lemma7, we get ([M]", M) € <". The definition of < = ¢(<) 
with A = F and n = 0 gives [M]" <  ncHNE Red& a [A]. 


5 Nakajima Trees and Full Abstraction 


We apply our strong adequacy to infer full abstraction (Theorem 2). As men- 
tioned in the Introduction, the bridge linking syntax and semantics is given by 
the notion of probabilistic Nakajima tree defined by Leventis [12] (here Defini- 
tions2 and 3) in order to prove a separation theorem for At. Lemma 11 shows 
that the equality of Nakajima trees implies the denotational equality. The proof 
of this lemma uses the strong adequacy property. 


Definition 2. The set PT} of Nakajima trees with depth at most £ € N is 
the set of subprobability distributions over value Nakajima trees VT}. These 
sets are defined by mutual recursion as follows: 


ta, vTiy={ieuTlecMvevcre erp") 


PT} = {1}, PII = T € 0,17 | 2 r9 <1} 


tEVT Ipi 


The notation L represents the empty function (i.e. the distribution with empty 
support), encoding undefinedness and allowing directed sets of approximants. 

Value Nakajima trees represent infinitary 7-long head-normal forms: up to 
n-equivalence every head-normal form h = Axı... £n.-y My... Mm is equal to 
A.» Enpk-Y My... Mm n41 --- Tnpk for any k € N and &n41,...,2n4x fresh, 
and value Nakajima trees are infinitary variants of such 7-expansions. 


Definition 3. By mutual recursion we associate value trees VT" with head- 
normal forms and general trees PT” with general A* terms: 


VT} Orr <- -nY My... Mm) 
= Ais . .EnEn+1 - -Y PT} (Mi) six PL Mia) PT tact) << 
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where the xis are pairwise distinct variables and, fori > m, the x;’s are fresh; 


PT{(M)=1, PT} (M)=t=> 5 Red n 
he(VT} 1) (6) 


Remark 1. In [12], following the definition of deterministic Nakajima trees in [1], 
the value tree VT} 4 (Ari .--n-yY My... Mm) includes explicitly the difference 
n—m. This yields a heavier but somewhat more convenient definition, as then 
Lemma 10 also holds for = 1. In this paper we chose to use the lighter definition. 


This choice does not influence the Nakajima tree equality by Lemma 10. 


Example 5. Figure 2(a) depicts some examples of value Nakajima trees asso- 
ciated with the head-normal form Ax .y(Qv,)x;. Notice that these trees are 
equivalent to the Nakajima trees associated with y(Q21) as well as yQ. In fact, 
all these terms are contextually equivalent. 

Figure 2(b) shows the Nakajima tree of depth 2 associated with the term 
y(u +4 v) +p (y +p Q). Notice that the two sums +, and +p contribute to the 
same subprobability distribution, whereas they are kept distinct from the sum 
+4 on the argument side of an application. 

Figure 2(c) gives some examples of the Nakajima trees associated with the 
term O(Af.(y+py(f)), discussed also in Examples 2 and 3. Notice that the more 
the depth £ increases, the more the top-level distribution’s support grows. 


It is clear that the family (PT/(M)), cn converges to a limit, but we do not 
need to make it explicit for our purposes, so we avoid defining the topology over 
U, PT} yielding the convergence of (PTI (M)) pew: 

The next lemma shows that the first levels of a VT” of a head-normal form 
h give a lot of information about the shape of h. 


Lemma 10. Given two head-normal forms h = Azı ... £n-yMiı ... Mm and h' = 
Azı... Ewy My... Mly and any L > 2, if VT} (h) = VT} (h’), then y = y' and 


m 
n—-m=n =m. 


Proof. The fact y = y’ follows immediately from the definition of VT”. Con- 
cerning the second equality, one can assume n = n’ by 7-expanding one of the 
two terms, in fact VT” is invariant under 7-expansion. Modulo a-equivalence, 
we can then restrict ourselves to consider the case of h = Ax, .. . £n-y Mi . .. Mm 
and Ah! = vx1...%n-yMy... Mhr. 

Suppose, by the sake of contradiction, that m > m’. Then we should have 
PT] (Mw+1) = PT}_,(tn41), where 241 is a fresh variable, in particular 
Inti É FV(Mn 41). Since £—1 > 0, we have that PT}, (#n41)(t) = 1 only if t is 
equal to Az122....@n4i PT} 9(21)PT] 2(z2)..., otherwise PT} (@n+41)(t) = 0. 
So, PT} (Mw+1) = PT}_,(en41) implies that Redin > O for some h 


having £n+1 as free variable, which is impossible since 2,41 ¢ FV(Mim/41). 


Thanks to the strong adequacy property we can prove that for M € At each 
coefficient of [M]" is entirely defined by PT} (M) for £ large enough. To do so 


we define the following size on |D|, Mg(|D]) and M,(|D])/ x |D|: 
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C= 1 t=2 
At122...-Y AXL1 £2 y 
A A M 
L L L + + + 
fo 
AZ.L1 AZ.L2 


L l L L 
(a) VT} (Az1.y(Qrı)xı) for some £, also equal to VT} (yQ). 


a + =e p)p' 
ALY x.y’ 
. ee | N we | 
q l-q 
7 ha 1 1 1 
AZ.L2 


AZ.U AZ.U AZ.L1 AZ.L 


(b) PT3(y(ut+qv) +p (y’ +p @)). Notice the layers of distributions. 


£= 1 £=2 
1 a + a a 
AL.y ` P 
es x.y x.y 
L AE ue "a 
1 1 1 1 
AZ.L1 AzZ.L2 Az.Y AZ.L1 
| | | | 


(c) PT] (O(F.(y +p y(f))) for some £ 


Fig. 2. Examples of Nakajima trees. Distributions are represented by barycentric sums, 
depicted as + nodes whose outgoing edges are weighted by probabilities. 
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x) = 0 for the base element, 

m:: d) = #(m) + #(d) for m € M;(|D]) and d € |D], 
dy,...,dn]) =n + X; #(di) for d,...,dn € |D], 

m, d) = #(d) + Dy er(#(mz)) for m € M;(|D])” and d € |D]. 


Lemma 11. Given l € N and M,N € Aj, if PT](M) = PT}(N) then for any 
(m,d) € MD)" x [D| with #(m, d) < £, we have [M], a = INIA, a 


Proof. We do induction on £. If £ < 1, then #(m,d) = 0 implies d = x and 
for every z € I’, Mm, = |]. In this case we remark that both [M]A a INI a 
are null. This in fact can be easily checked by inspecting the rules of Fig. 1, 
computing the matrix denoting a term by structural induction over the term. 

Otherwise, by Theorem 1, we have: [Mina = heHNE; Redo nlAl na: This 
last sum can be refactored as Jevr} Vne(vr7)-1(t) Redin [hlm a A similar 
reasoning for N gives WIh a = Vee vr” X nevre) Red a Ai a 

Let us fix a t € VT? and (m, d) € M¢(|D|)" x |D| with #(m, d) < £. Let us 
prove that: 


for any h, h' € (VTD H(t), we have [A]h a = Ih a 


Notice that O implies [MI = eae since the hypothesis PT}(M) = 
PT{(N) gives Vecvr7-1(1) Redit,n = Unevr7)-2(t) RedW,n, for any t € VT}. 

Let then h = Av,...%n.yM)... My and h! = Ax1...tn-y' Mi... Mj. Since 
£>2, VT}(h) = VT}(h’) implies by Lemma 10 that y = y’ and n—k = n' —k’. 
Since D is extensional (see Sect. 3), by 7-expanding one of the two terms, we can 
suppose n = n’ and, then, k = k’. Besides if n > 0 let us write d = m :: d’, we 
have (A), a = Dra... £n-yMi ... Milgi m)a With #((m,m),d’) = #(m,d), 
and similarly for Iha So, we can reduce to consider the case: h = yM,... Mk 
and h’ = yM; ... M}. If k = 0 the claim O is trivial, otherwise by unfolding the 
applications of h using the applicative case in Fig. 1, we have that: 


hlma= > 2 Whom T a ee 


(Moso Mg) ire Mk 
s.t. m=W,; mi EMDI) 


and the same for h’, replacing each M; with Mj. Notice that lylo my:e-muna Z 
0 implies (mo)y = [m1 :: +++ mz: d], hence #(m;) < #(mo) for any i < k, thus 


#(m;,m;) < #(m;) + #(mo) < #(m) < #(m, d) < l and #(m;,m;) < L-1. 
Moreover, the hypothesis VT? (h) = VT? (h'), implies PT} ,(Mi) = PT?_, (Mj) 
for any i < k, so we conclude by induction hypothesis on each term in the sums 
appearing in ([M;J7)™°™ and ([M mi. 


Corollary 1. Let M, N €A}, YLEN, PT}(M)=PT](N) implies [M]? =[N]’. 
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Theorem 2. For any two terms M,N € AP; the following are equivalent: 


1. M and N are contextually equivalent; 
2. M and N have the same Nakajima trees; 
3. M and N have the same interpretation in D. 


Proof. (1) to (2) is given by [12, Theorem 10.1]. From (2) and Corollary 1, we get 
(3). Finally, (3) implies (1) by the adequacy of probabilistic coherence spaces, 
proven in [6, Corollary 25]. 
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Abstract. This work investigates three notions of program equivalence 
for a higher-order functional language with recursion and general alge- 
braic effects, in which programs are written in continuation-passing style. 
Our main contribution is the following: we define a logic whose formu- 
las express program properties and show that, under certain conditions 
which we identify, the induced program equivalence coincides with a 
contextual equivalence. Moreover, we show that this logical equivalence 
also coincides with an applicative bisimilarity. We exemplify our general 
results with the nondeterminism, probabilistic choice, global store and 
I/O effects. 


1 Introduction 


Logic is a fundamental tool for specifying the behaviour of programs. A general 
approach is to consider that a logical formula ¢ encodes a program property, and 
the satisfaction relation of the logic, t = @, asserts that program t enjoys prop- 
erty ¢. An example is Hennessy-Milner logic [12] used to model concurrency and 
nondeterminism. Other program logics include Hoare logic [13], which describes 
imperative programs with state, and more recently separation logic [28]. Both 
state and nondeterminism are examples of computational effects [25], which rep- 
resent impure behaviour in a functional programming language. The logics men- 
tioned so far concern languages with first-order functions, so as a natural exten- 
sion, we are interested in finding a logic which describes higher-order programs 
with general effects. 

The particular flavour of effects we consider is that of algebraic effects devel- 
oped by Plotkin and Power [32-34]. This is a unified framework in which effectful 
computation is triggered by a set of operations whose behaviour is axiomatized 
by a set of equations. For example, nondeterminism is given by a binary choice 
operation or(—,—) that satisfies the equations of a semilattice. Thus, general 
effectful programs have multiple possible execution paths, which can be visual- 
ized as an (effect) tree, with effect operations labelling the nodes. Consider the 
following function or_suc which has three possible return values, and the effect 
tree of (or_suc 2): 
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or_suc = Ax:inat. (or_suc 2) ie Bers. 


or(x, or(a +1," + 2)) 37 4 
Apart from state and nondeterminism, examples of algebraic effects include prob- 
abilistic choice and input and output operations. 

Apart from providing a specification language for programs, a logic can also 
be used to compare two different programs. This leads to a notion of program 
equivalence: two programs are equivalent when they satisfy exactly the same 
formulas in the logic. 

Many other definitions of program equivalence for higher-order languages 
exist. An early notion is contextual equivalence [26], which asserts that two pro- 
grams are equivalent if they have the same observable behaviour in all program 
contexts. However, this is hard to establish in practice due to the quantification 
over all contexts. Another approach, which relies on the existence of a suitable 
denotational model of the language, is checking equality of denotations. Yet 
another notion, meant to address the shortcomings of the previous two, is that 
of applicative bisimilarity [1]. 

Given the wide range of definitions of program equivalence, comparing them 
is an interesting question. For example, the equivalence induced by Hennessy- 
Milner logic is known to coincide with bisimilarity for CCS. Thus, we not only 
aim to find a logic describing general algebraic effects, but also to compare it to 
existing notions of program equivalence. 

Program equivalence for general algebraic effects has been studied by Johann, 
Simpson and Voigtlander [17] who define a notion of contextual equivalence and 
a corresponding logical relation. Dal Lago, Gavazzo and Levy [7] provide an 
abstract treatment of applicative bisimilarity in the presence of algebraic effects. 
Working in a typed, call-by-value setting, Simpson and Voorneveld [38] propose a 
modal logic for effectful programs whose induced program equivalence coincides 
with applicative bisimilarity, but not with contextual equivalence (see counter- 
example in Sect.5). Dal Lago, Gavazzo and Tanaka [8] propose a notion of 
applicative similarity that coincides with contextual equivalence for an untyped, 
call-by-name effectful calculus. 

These papers provide the main starting point for our work. Our goal is to 
find a logic of program properties which characterizes contextual equivalence for 
a higher-order language with algebraic effects. We study a typed call-by-value 
language in which programs are written in continuation-passing style (CPS). 
CPS is known to simplify contextual equivalence, through the addition of control 
operators (e.g. [5]), but it also implies that all notions of program equivalence we 
define can only use continuations to test return values. Contextual equivalence 
and bisimilarity for lambda-calculi with control, but without general effects, have 
been studied extensively (e.g. [4,15,23,41]). 

In CPS, functions receive as argument the continuation (which is itself a 
function) to which they pass their return value. Consider the function that adds 
two natural numbers. This usually has type nat — nat — nat, but its CPS 
version is defined as: addk = A(n:nat, m:nat,k:nat—R). k (n + m) for some 
fixed return type R. The function or_suc becomes in CPS: 
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or_succ = \(a:nat, kinat—R). or(k x, or(addk (x, 1, k), addk (x, 2, k))). 


A general translation of direct-style functions into CPS can be found in Sect. 5. 

We fix a calculus named ECPS (Sect. 2), in which programs are not expected 
to return, except through a call to the continuation. Contextual equivalence 
is defined using a custom set of observations P, where the elements of $ are 
sets of effect trees. We consider a logic F whose formulas express properties of 
ECPS programs (Sect.3). For example, or_succ satisfies the following formula: 
= ({2}, {3} V {4}) 4D) = 0. 

Here, © is the set of all effect trees for which at least one execution path 
succeeds and LH is the set of trees that always succeed. So or_succ HF ¢ says 
that, when given arguments 2 and a continuation that always succeeds for input 
3 or 4, then or_succ may succeed. In other words, or_succ may ‘return’ 3 or 4 
to the continuation. In contrast, or_succ Hr o = ({2}, ({3} V {4}) BO) => 
says that the program or_succ must return 3 or 4 to the continuation. Thus 
or_succ Ær ¢’ because the continuation k might diverge on 2. 

Another example can be obtained by generalizing the or_succ function to 
take a function as a parameter, rather than using addk: 


or_succ’ = A(x: nat, k:nat—R, f: (nat, nat, nat—R)—R). 
or(k x, or(f (x,1,k), f (x,2,k))) 
=r ({2}, {4} 0, (h {2}, (44-40) 0)) 0. 


The formula above says that or_succ’ may call f with arguments 2, 2 and k. 

The main theorem concerning the logic F (Theorem 1) is that, under certain 
restrictions on the observations in $B, logical equivalence coincides with con- 
textual equivalence. In other words, F is sound and complete with respect to 
contextual equivalence. The proof of this theorem, outlined in Sect. 4, involves 
applicative bisimilarity as an intermediate step. Thus, we show in fact that three 
notions of program equivalence for ECPS are the same: logical equivalence, con- 
textual equivalence and applicative bisimilarity. Due to space constraints, proofs 
are omitted but they can be found in [21]. 


2 Programming Language — ECPS 


We consider a simply-typed functional programming language with general 
recursion, a datatype of natural numbers and general algebraic effects as intro- 
duced by Plotkin and Power [32]. We will refer to this language as ECPS because 
programs are written in continuation-passing style. 

ECPS distinguishes between terms which can reduce further, named compu- 
tations, and values, which cannot reduce. ECPS is a variant of both Plotkin’s 
PCF [31] and Levy’s Jump-With-Argument language [20], extended with alge- 
braic effects. A fragment of ECPS is discussed in [18] in connection with logic. 


Types A, Ay, B = (Aj,..-,An)-R | nat (n > 0) 
Typing contexts r:=0|T,x: A. 
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The only base type in ECPS is nat. The return type of functions, R, is 
fixed and is not a first-class type. Intuitively, we consider that functions are 
not expected to return. A type in direct style A — B becomes in ECPS: 
(A, B—R)—>R. In the typing context (I,x : A), the free variable x does not 
appear in I’. 

First, consider the pure fragment of ECPS, without effects, named CPS: 


Values v, w := zero | succ(v) | A(w1:A1,...,¢ntAn).t | £ (n > 0) 
Computations s,t = v(w1,..., Wn) | case v of {zero > s, succ(x) => t} | 
(rec x.v)(wi,..., Wn). 


Variables, natural numbers and lambdas are values. Computations include func- 
tion application and an eliminator for natural numbers. The expression rec x.v 
is a recursive definition of the function v, which must be applied. If exactly 
one argument appears in a lambda abstraction or an application term, we will 
sometimes omit the parentheses around that argument. 

There are two typing relations in CPS, one for values I H v : A, which says 
that value v has type A in the context I’, and one for computations I F t: R. 
This says that t is well-formed given the context I’. All computations have the 
same return type R. We also define the order of a type recursively, which roughly 
speaking counts the number of function arrows — in a type. 


— 
Tx: AFt:R T Hv:nat 
T,zx:AFz:A T H AÅ).t : (A)R I H zero:nat T F succ(v): nat 


Tho: (A) aR (TF wi: Aii Iya: (A) SRF Uv: (A)—R (T F wi: Ai); 
Dev (w):R IF (rec 2.v)(W) :R 
I FHFv:nat FRE:R Iyx:nathk s:R 
I'l case v of {zero > t, succ(x) > s}:R 
ord(nat) = 0 ord(()-R) = 1 
ord((Ay,..., An)-R) = mazi<i<n(ord(A;)) +1 (if n > 0) 


To introduce algebraic effects into our language, we consider a new kind 
of context X, disjoint from I’, which we call an effect context. The symbols o 
appearing in X stand for effect operations and their type must have either order 1 
or 2. For example, the binary choice operation or : (()—>R, ()—>R)—>R expects two 
thunked computations. The output operation output : (nat, ()—>R)—>R expects 
a parameter and a continuation. An operation signifying success, which takes no 
arguments, is | : ()—R. Roughly, X could be regarded as a countable algebraic 
signature. 

We extend the syntax of CPS with effectful computations. The typing rela- 
tions now carry a X context: l Fs v: A and I’ yt:R. Otherwise, the typing 
judgements remain unchanged; we have a new rule for typing effect operations: 
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=> — 
o:(A, B)>REX (Frou: Aij (TFs kj: Bj); 
THs, k):R 


=> 
=> 
v, k 


s,t:=...|o(v, k) 


In ECPS, the only type with order 0 is nat, so in fact A; = nat for all i. Notice 
that the grammar does not allow function abstraction over a symbol from X 
and that o is not a first-class term. So we can assume that X is fixed, as in the 
examples from Sect. 2.1. 

As usual, we identify terms up to alpha-equivalence. Substitution of values 
for free variables that are not operations, v[w/z] and t[w/c], is defined in the 
standard way by induction on the structure of v and t. We use 7% to denote the 
term succ”(zero). Let (Fs) be the set of well-formed closed computations and 
(Fs A) the set of closed values of type A. 


2.1 Operational Semantics 


We define a family of relations on closed computation terms (—) C (Fy) x (Fy) 
for any effect context X: 


(A(x:A).t) w) — W/T] 
(rec x.v) (W) — (v[(A(y:A).(rec z.v)(y))/x]) (8) 
case zero of {zero > s, succ(x) > t} — s 
case succ(v) of {zero > s, succ(x) > t} — t[v/z]. 


Observe that the reduction given by —> can either run forever or terminate 
with an effect operation. If the effect operation does not take any arguments 
of order 1 (i.e. continuations), the computation stops. If the reduction reaches 
a(v, F), the intuition is that any continuation k; may be chosen, and executed 
with the results of operation o. Thus, repeatedly evaluating effect operations 
leads to the construction of an infinitely branching tree (similar to that in [32]), 
as we now explain, which we call an effect tree. A path in the tree represents a 
possible execution path of the program. 

An effect tree, of possibly infinite depth and width, can contain: 


— leaves labelled L, which signifies nontermination of —; 

— leaves labelled o, where o : ()>R € X and (Fy v; : Ai)i; 

— nodes labelled oy, where o : (A, B)>R € X and each Fy v;i : Ai; such a 
node has an infinite number of children to, t1,.--. 


Denote the set of all effect trees by Treess. This set has a partial order: tr, < tr 
if and only if tr; can be obtained by replacing subtrees of trg by L. Every 
ascending chain tı < tg < ... has a least upper bound L],, tn. In fact Treesy is 
the free pointed X-algebra [2] and therefore also has a coinductive property [9]. 

Next, we define a sequence of effect trees associated with each well-formed 
closed computation. Each element in the sequence can be seen as evaluating the 
computation one step further. Let [—]_) : (Fs) x N — Treesy: 
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[lo = 1 
[s]m ift — s 
(t] m+1 = i 


These are all the cases since well-formed computations do not get stuck. We 
define the function |-] : (Fs) — Treess as the least upper bound of the chain 


{ltn] nex: [t] = Lnenléln- 
We now give examples of effect contexts X for different algebraic effects, and 
of some computations and their associated effect trees. 


Example 1 (Pure functional computation). X = {| : ()—>R}. Intuitively, | is a 
top-level success flag, analogous to a ‘barb’ in process algebra. This is to ensure 
a reasonable contextual equivalence for CPS programs, which never actually 
return results. For example, loop = (rec f.A().(f x)) () runs forever, and 


test_zero = \(y:nat). case y of {zero > | (), succ(x) = loop} 


is a continuation that succeeds just when it is passed zero. Generally, an effect 
tree for a pure computation is either | if it succeeds or L otherwise. 


Example 2 (Nondeterminism). X = {or : (()—>R, ()—>R)—>R, | : ()—>R}. Intu- 
itively, or(k 1, k2) performs a nondeterministic choice between computations kı () 
and kə (). Consider a continuation test_3 : nat—R that diverges on 3 and suc- 
ceeds otherwise. The program or_succ from the introduction is in ECPS: 


or_succ = X(a:nat, kinat—R). or(X(). k a, Deseo ee = 
A(). or(A().k (succ(z)), 1l or 
A().k (succ(succ(x))))) L l 


Example 3 (Probabilistic choice). X = {p-or : (()—>R, ()—>R)—>R, | : >R}. 
Intuitively, the operation p-or (k1, k2) chooses between k; () and k () with prob- 
ability 0.5. Consider the following term which encodes the geometric distribution: 
geom = Ak:nat—R. 
(rec f. A(n:nat, k’:nat—R).p-or(A().k’ n, A().f (suce(n), k’))) (T, k). 
The probability that geom passes a number n > 0 to its continuation is 27”. To 
test it, consider k = (Aw:nat. | ()); then [geom k] is an infinite tree: 
[geom k] = p-or 
ro 
© [geom k] 
Example 4 (Global store). L is a finite set of locations storing natural numbers 


and X = {lookup, : (nat—R)—>R, update; : (nat, ()—>R)—>R | l E€ L}U{] : QR}. 
Intuitively, lookup;(k) looks up the value at storage location 1, if this is 7 it 
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continues with k (n). For update;(v,k) the intuition is: write the number v in 
location l then continue with the computation k (). For example: 


update), 7 
[update (1, A().lookup,,(Avnat.case x lookupig 
of {zero => | (), succ(y) > loop}))] = a a 


Only the second branch of lookup;, can occur. The other branches are still 
present in the tree because [—] treats effect operations as uninterpreted syntax. 


Example 5 (Interactive input/output). X = {| : ()—>R, output : (nat, ()—>R)—>R, 
input : (nat—R)—R}. Intuitively, the computation input(k) accepts number 7% 
from the input channel and continues with k (7). The computation output(v, k) 
writes v to the output channel then continues with computation k (). Below is a 
computation that inputs a number 7 then outputs it immediately, and repeats. 
input 
[echo] = [(rec FAG outputs ome putplits vee 
input(Ar:nat. output(z, A().f ()))) Ol = 
[echo] [echo] [echo] 


2.2 Contextual Equivalence 


Informally, two terms are contextually equivalent if they have the same observ- 
able behaviour in all program contexts. The definition of observable behaviour 
depends on the programming language under consideration. In ECPS, we can 
observe effectful behaviour such as interactive output values or the probability 
with which a computation succeeds. This behaviour is encoded by the effect tree 
of a computation. Therefore, we represent an ECPS observation as a set of effect 
trees P. A computation t exhibits observation P if [t] € P. 

For a fixed set of effect operations X, we define the set $ of possible observa- 
tions. The elements of $8 are subsets of Treess. Observations play a similar role 
to the modalities from [38]. For our running examples of effects, $% is defined as 
follows: 


Example 6 (Pure functional computation). Define P = {4} where 4 = {|}. 
There are no effect operations so the J} observation only checks for success. 


Example 7 (Nondeterminism). Define P = {0,0} where: 


© = {tr € Treesy | at least one of the paths in tr has a | leaf} 
= {tr € Treesy | the paths in tr are all finite and finish with a |}. 


The intuition is that, if [t] € ©, then computation t may succeed, whereas if 
[t] € O, then t must succeed. 
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Example 8 (Probabilistic choice). Define P : Treess — [0,1] to be the least 
function, by the pointwise order, such that: 


1 1 
P(l)=1 P(p-or(tro,tr1)) = zP(tro) + 5 P(tri). 
Notice that P(-L) = 0. Then observations are defined as: 
Ps = {tr € Trees | P(tr) >q} G={P.,|@eQ, 0< ¢< 1}. 


This means that |t] € Ps, if the probability that t succeeds is greater than q. 


Example 9 (Global store). Define the set of states as the set of functions from 
storage locations to natural numbers: State = L —> N. Given a state S, we 
write [S|] C Treesy for the set of effect trees that terminate when starting in 
state S. More precisely, [—] is the least State-indexed family of sets satisfying 
the following: 


— lel trsa € [SI] leL tr € [S[l := n]]] 
Le [sl] lookup; (tro, tri, tre,...) € [S]] update; x(tr) € [S]] 


The set of observations is: P = {[S|] | S € State}. 


Example 10 (Interactive input/output). An I/O-trace is a finite word w over the 
alphabet {?n | n € N} U {!n | n € N}. For example, ?1!1?2!2?3!3. The set of 
observations is: P = {(W).., (W)| | W an I/O-trace}. Observations are defined 
as the least sets satisfying the following rules: 

— tr=| trn E (W)... tr’ e (W). 
tr € (€)... tr € (e)| input(tro,tri,...) E ((?n)W)... outputa(tr’) € ((In)W)... 


and the analogous rules for ((?n)W)| and ((!n)W)|. Thus, [t] € (W)... if com- 
putation t produces I/O trace W, and [t] € (W)| if additionally t succeeds 
immediately after producing W. 


Using the set of observations %, we can now define contextual equivalence 
as the greatest compatible and adequate equivalence relation between possibly 
open terms of the same type. Adequacy specifies a necessary condition for two 
closed computations to be related, namely producing the same observations. 


Definition 1. A well-typed relation R = (RX, R°) (i.e. a family of relations 
indexed by ECPS types where R: relates computations) on possibly open terms 
is adequate if: 


Vs,t. Fy sR°t => VP ER. |s] € P 4> [t] € P. 


Relation R is compatible if it is closed under the rules in [21, Page 57]. As an 
example, the rules for application and lambda abstraction are: 


PratRaga t Che wi Ratih Iz: AbysRt 
= = —_ v = 
Try v(w) RE v'(w’) I Fs X(a:A).s Re A(x: A).t 


(A)>R 
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Definition 2 (Contextual equivalence). Let CA be the set of well-typed rela- 
tions on possibly open terms that are both compatible and adequate. Define con- 
textual equivalence =ctx to be JCA. 


Proposition 1. Contextual equivalence =x is an equivalence relation, and is 
moreover compatible and adequate. 


This definition of contextual equivalence, originally proposed in [11,19], can 
be easily proved equivalent to the traditional definition involving program con- 
texts (see [21, §7]). As Pitts observes [30], reasoning about program contexts 
directly is inconvenient because they cannot be defined up to alpha-equivalence, 
hence we prefer using Definition 2. 

For example, in the pure setting (Example 1), we have 0 44, 1, because 
test_zero(0) Æctx test_zero(1); they are distinguished by the observation |). 
In the state example, lookup,,(k) Actx lookup (k), because they are distin- 
guished by the context (Ak:nat—R. |[—]) (test_zero) and the observation [S|] 
where S(1,) = 0 and S(l2) = 1. In the case of probabilistic choice (Example 3), 
geom (Av:nat. | ()) =ctx | () because (geom (Ax:nat. | ())) succeeds with prob- 
ability 1 (‘almost surely’). 


3 A Program Logic for ECPS — F 


This section contains the main contribution of the paper: a logic F of program 
properties for ECPS which characterizes contextual equivalence. Crucially, the 
logic makes use of the observations in $ to express properties of computations. 

In F, there is a distinction between formulas that describe values and those 
that describe computations. Each value formula is associated an ECPS type A. 
Value formulas are constructed from the basic formulas (¢1,...,¢,) > P and 
@ = {n}, where n € N and P € , as below. The indexing set J can be infinite, 
even uncountable. Computation formulas are simply the elements of $B. 


(VAL) 
neN Qı : A1... On : An Pex (Qi : A)ier (di: A)ier o:A 
{n}: nat (¢1,...,¢n) > P: (Ai,..., An) OR Vierdi: A Aierdi: A 7G: A 


The satisfaction relation > relates a closed value Fs v : A to a value 
formula ¢: A of the same type, or a closed computation ¢t to an observation P. 
Relation t => P tests the shape of the effect tree of t. 


vuFri{in} <4 v=7 
v r (ġ1,---; Øn) = P <> forall closed values wy,...,w, such that 
Vi. wi HF ; then v(wi,...,Wn) Er P 
v Fs Vieri <=> there exists j € J such that v =F 9; 
vF Merhi <> forallj EI, v HF 4; 
v =r =o <=> itis false that v =F ¢ 
tHFP <= [JEP 


A Sound and Complete Logic for Algebraic Effects 391 


Example 11. Consider the following formulas, where only ¢3 and ġ4 refer to the 
same effect context: 


$1 = (BE 0) = 9) A (aH = 0) = O) A ({8} = OA {44 O) e 0) 
$2 = ((Va>i{n}) => P>4) > P>4/2 

$3 = Asestate({S0)} > ISI) > [S1) 

Qa = Asestate NMneN (({n}, O = [Slo = n, l = n + 111) > [Silo = njl]) 
$5 = AkeN Vni, un eN (0) = Onini ?nalna ... ?rg!ne)...). 


Given a function v : (nat—R)—>R, v =r ¢ġı means that v is guaranteed to call 
its argument only with 3 or 4. The function geom from Example 3 satisfies ¢2 
because with probability 1/2 it passes to the continuation a number n > 1. 

For example, the following satisfactions hold: Ak:nat—R. lookup;(k) EF ¢3 
and f = \(a:nat, k:()—>R). update), (succ(x),k) Hr 4. The latter formula says 
that, either f always succeeds, or f evaluated with 7 changes the state from 
Slo = n] to S[lo := n, lı = n + 1] before calling its continuation. This is similar 
to a total correctness assertion [S[Jo := n]](—)[S[lo := n, l1 := n + 1]] from Hoare 
logic, for a direct style program. Formula @s is satisfied by \().echo, where echo 
is the computation defined in Example 5. 


Even though the indexing set Jin Ajez and Vier may be uncountable, the sets 
of values and computations are countable. Since logical formulas are interpreted 
over values and computations, all conjunctions and disjunctions are logically 
equivalent to countable ones. 


Definition 3 (Logical equivalence). For any closed values Fy vı : A and 
Fs ug: A, and for any closed computations Fy sı and y s2: 

vu Efu <> Vo:AinF. (v =F o vg =F ¢) 

S1 =F 82 <= VP inf. (sı Er P 82 FF P). 


To facilitate equational reasoning, logical equivalence should be compatible, a 
property proved in the next section (Proposition 3). Compatibility allows sub- 
stitution of related programs for a free variable that appears on both sides of a 
program equation. Notice that logical equivalence would not be changed if we 
added conjunction, disjunction and negation at the level of computation formu- 
las. We have omitted such connectives for simplicity. 

To state our main theorem, first define the open extension of a well-typed 
relation R on closed terms as: x: AFs tR? s if and only if for any closed values 
(Ky vi : Aili, tlu/az] R s[v/x]. Three sufficient conditions that we impose on the 
set of observations $8 are defined below. The first one, consistency, ensures that 
contextual equivalence can distinguish at least two programs. 


Definition 4 (Consistency). A set of observations P is consistent if there 
exists at least one observation Po E€ $ such that: 
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1. Po F Treess and 
2. there exists at least one computation to such that [to] € Po. 


Definition 5 (Scott-openness). A set of trees X is Scott-open if: 


1. It is upwards closed, that is: tr € X and tr <tr’ imply tr’ € X. 
2. Whenever try < tro < ... is an ascending chain with least upper bound |_| tr; € 
X, then tr; E X for some j. 


Definition 6 (Decomposability). The set of observations P is decomposable 
if for any P € $, and for any tr € P: 


= 
Vo € X. (tr =0z (tr) => 


L 
SP’ € PU{Treesy}. tr’ € P' and Yp' € P'. ox (p) € P). 


Theorem 1 (Soundness and Completeness of F). For a decomposable set 
of Scott-open observations P that is consistent, the open extension of F-logical 
equivalence coincides with contextual equivalence: (=5-) = (Sctx)- 


The proof of this theorem is outlined in Sect. 4. It is easy to see that for all 
running examples of effects the set $B is consistent. The proof that each P € $B 
is Scott-open is similar to that for modalities from [38]. It remains to show 
that for all our examples $8 is decomposable. Intuitively, decomposability can 
be understood as saying that logical equivalence is a congruence for the effect 
context X. 


Example 12 (Pure functional computation). The only observation is 4 = {|}. 
There are no trees in Į whose root has children, so decomposability is satisfied. 


Example 13 (Nondeterminism). Consider tr € Q. Either tr = |, in which case 
we are done, or tr = or(tro, tr). It must be the case that either trg or tr} have 
a |-leaf. Without loss of generality, assume this is the case for tro. Then we 
=> > 
know tro € so we can choose Pj = Q, Pi = Treesy. For any p' € P’ we know 
— 
or(p') € > because pọ has a |-leaf, so decomposability holds. The argument for 
tr € O is analogous: Pj = Pi = 


Example 14 (Probabilistic choice). Consider tr = p-or(tro, tr) € Ps q. Choose: 
P(tr¢ P(tr} 

qo = rae ‘2q and qı = a o -2q. From P(tr) = 3(P(tr,)+P(tri)) > 

q we can deduce that: 1 > P(trô) > qo and 1 > P(tr1) > qı. So we can choose 

Pi = P>, Pi = P>q to satisfy decomposability. 


Example 15 (Global store). Consider a tree tr = op (tr, tri, tr3,...) € [SI]. If 
o = lookup, then we know troa) € [S|]. In the definition of decomposability, 
choose Psy = [S|] and Przs(t) = Treesy and we are done. If op = update; x, 
then tri € [S[l := n]|]. Choose Pj = [S[l := n]}]. 
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Example 16 (Interactive input/output). Consider an I/O trace W 4 e and a 
tree tr = oy (tro, tri, trh,...) € (W).... If o = input, it must be the case that 
W = (?k)W’ and tri, € (W’)_. We can choose Py = (W’).. and Pnr = (6)... 
and we are done. If o> = outputm, then W = (!n)W’ and tro € (W’).... Choose 
Pj = (W’)... and we are done. The proof for (W)| is analogous. 


4 Soundness and Completeness of the Logic F 


This section outlines the proof of Theorem 1, which says that F-logical equiva- 
lence coincides with contextual equivalence. The full proof can be found in [21]. 
First, we define applicative bisimilarity for ECPS, similarly to the way Simpson 
and Voorneveld [38] define it for PCF with algebraic effects. Then, we prove 
in turn that F-logical equivalence coincides with applicative bisimilarity, and 
that applicative bisimilarity coincides with contextual equivalence. Thus, three 
notions of program equivalence for ECPS are in fact the same. 


Definition 7 (Applicative P-bisimilarity). A collection of relations RY C 
(s A)? for each type A and RS C (Fy)? is an applicative $-simulation if: 


1. v Ri wW = v=w. 

2. s R:t = YP e Ẹ. ([s] € P = ft] €P). 

3. v Ria u => VY(Hy w; : Aii. v(W) RE u(w). 

An applicative %-bisimulation is a symmetric simulation. Bisimilarity, denoted 
by ~, is the union of all bisimulations. Therefore, it is the greatest applicative 
B-bistmulation. 


Notice that applicative bisimilarity uses the set of observations $8 to relate 
computations, just as contextual and logical equivalence do. It is easy to show 
that bisimilarity is an equivalence relation. 


Proposition 2. Given a decomposable set of Scott-open observations $, the 
open extension of applicative B-bisimilarity, ~°, is compatible. 


Proof (notes). This is proved using Howe’s method [14], following the structure 
of the corresponding proof from [38]. Scott-openness is used to show that the 
observations P interact well with the sequence of trees [—](_) associated with 
each computation. For details see [21, §5.4]. 


Proposition 3. Given a decomposable set of Scott-open observations 3B, 
applicative B-bisimilarity ~ coincides with F-logical equivalence =. Hence, the 
open extension of F-logical equivalence => is compatible. 


Proof (sketch). We define a new logic V which is almost the same as F except 
that the (VAL) rule is replaced by: 


Fy wy: A1... F5 Wn: An PER 


Hy (Ww) = P 4> vT) Hy P. 
(wi,...;, Wn) > P : (A1,..., An) >R ReiS ka 
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That is, formulas of function type are now constructed using ECPS values. It 
is relatively straightforward to show that V-logical equivalence coincides with 
applicative 8-bisimilarity [21, Prop. 6.3.1]. However, we do not know of a sim- 
ilar direct proof for the logic F. From Proposition 2, we deduce that V-logical 
equivalence is compatible. 

Next, we prove that the logics F and VY are in fact equi-expressive, so 
they induce the same relation of logical equivalence on ECPS programs [21, 
Prop. 6.3.4]. Define a translation of formulas from F to V, (—)’, and one from V 
to F, (—)#. The most interesting cases are those for formulas of function type: 


((G1,--+5 On) ) = Py = f\A Gijon tt Wn Jo P| wr id aes Wn Hy g } 
((wi,...,Wn) > P)! = (Xwis + os Xwn) > P 


where Xw; is the characteristic formula of w;, that is Xw, = A {4 | wi HF >}. 
Equi-expressivity means that the satisfaction relation remains unchanged under 
both translations, for example v Fy ¢ v =r ġ. Most importantly, the 
proof of equi-expressivity makes use of compatibility of =y, which we established 
previously. For a full proof see [21, Prop. 6.2.3]). 


Finally, to prove Theorem 1 we show that applicative $B-bisimilarity coincides 
with contextual equivalence [21, Prop. 7.2.2]: 


Proposition 4. Consider a decomposable set P of Scott-open observations that 
is consistent. The open extension of applicative B-bisimilarity ~° coincides with 
contextual equivalence =ctx. 


Proof (sketch). Prove (=ctx) C (~°) in two stages: first we show it holds for 
closed terms by showing =etx for them is a bisimulation; we make use of consis- 
tency of $ in the case of natural numbers. Then we extend to open terms using 
compatibility of = 4. The opposite inclusion follows immediately by compati- 
bility and adequacy of ~°. 


5 Related Work 


The work closest to ours is that by Simpson and Voorneveld [38]. In the context 
of a direct-style language with algebraic effects, EPCF, they propose a modal 
logic which characterizes applicative bisimilarity but not contextual equivalence. 
Consider the following example from [19] (we use simplified EPCF syntax): 


M = X().?nat N = let y > ?nat in A().min(?nat, y) (1) 


where ?nat is a computation, defined using or, which returns a natural number 
nondeterministically. Term M satisfies the formula 6 = O(true œ AnenO{n}) 
in the logic of [38], which says that M may return a function which in turn may 
return any natural number. However, N does not satisfy ® because it always 
returns a bounded number generator G. The bound on G is arbitrarily high 
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so M and N are contextually equivalent, since a context can only test a finite 
number of outcomes of G. 

EPCF can be translated into ECPS via a continuation-passing translation 
that preserves the shape of computation trees. The translation maps a value 
I'EV:7 toa value I*A V*:7*. An EPCF computation + M : 7 becomes 
an ECPS value [* + M* : (T*—R)—R, which intuitively is waiting for a contin- 
uation k to pass its return result to (see [21, §4]). As an example, consider the 
cases for functions and application, where k stands for a continuation: 


(TE Xa:7.M : T > p)* =I* F Xart*, kip*R). (M* k) : (7*, (p* R)) OR 
(CE VW: p)* =I* + Ak:p*R.V* (W*, k) : (p* SR) OR. 


This translation suggests that ECPS functions of type (Ai,...,An)—-R can be 
regarded as continuations that never return. In EPCF the CPS-style algebraic 
operations can be replaced by direct-style generic effects [34], e.g. input() : nat. 

One way to understand this CPS translation is that it arises from the fact 
that ((—)—R)—>R is a monad on the multicategory of values (in a suitable sense, 
e.g. [40]), which means that we can use the standard monadic interpretation of 
a call-by-value language. As usual, the algebraic structure on the return type R 
induces an algebraic structure on the entire monad (see e.g. [16], [24, §8]). We 
have not taken a denotational perspective in this paper, but for the reader with 
this perspective, a first step is to note that the quotient set Q def (Treess)/=y isa 
X-algebra, where (tr = tr’) if YP € P, (tre P < tr’ € P); decomposability 
implies that (=x) is a ¥-congruence. This thus induces a CPS monad Q‘@ ) on 
the category of cpos. 

Note that the terms in (1) above are an example of programs that are not bisim- 
ilar in EPCF but become bisimilar when translated to ECPS. This is because in 
ECPS bisimilarity, like contextual and logical equivalence, uses continuations to 
test return results. Therefore, in ECPS we cannot test for all natural numbers, like 
formula ® does. This example provides an intuition of why we were able to show 
that all three notions of equivalence coincide, while [38] was not. 

The modalities in Simpson’s and Voorneveld’s logic are similar to the obser- 
vations from $8, because they also specify shapes of effect trees. Since EPCF 
computations have a return value, a modality is used to lift a formula about the 
return values to a computation formula. In contrast, in the logic F observations 
alone suffice to specify properties of computations. From this point of view, our 
use of observations is closer to that found in the work of Johann et al. [17]. 
This use of observations also leads to a much simpler notion of decomposability 
(Definition 6) than that found in [38]. 

It can easily be shown that for the running examples of effects, F-logical 
equivalence induces the program equations which are usually used to axiomatize 
algebraic effects, for example the equations for global store from [33]. Thus our 
choice of observations is justified further. 

A different logic for algebraic effects was proposed by Plotkin and Pret- 
nar [35]. It has a modality for each effect operation, whereas observations in 8 
are determined by the behaviour of effects, rather than by the syntax of their 
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operations. Plotkin and Pretnar prove that their logic is sound for establishing 
several notions of program equivalence, but not complete in general. Refinement 
types are yet another approach to specifying the behaviour of algebraic effects, 
(e.g. [3]). Several monadic-based logics for computational effects have been pro- 
posed, such as [10], [29], although without the focus on contextual equivalence. 

A logic describing a higher-order language with local store is the Hoare logic 
of Yoshida, Honda and Berger [42]. Hoare logic has also been integrated into a 
type system for a higher-order functional language with dependent types, in the 
form of Hoare type theory [27]. Although we do not yet know how to deal with 
local state or dependent types in the logic F, an advantage of our logic over the 
previous two is that we describe different algebraic effects in a uniform manner. 

Another aspect worth noticing is that some (non-trivial) F-formulas are not 
inhabited by any program. For example, there is no function v : (()—>R)—>R 
satisfying: v= (0) = (10)...) = (11)... A (0 = (1...) = UO)... 

Formula % says that, if the first operation of a continuation is output(0), this 
is replaced by output(1) and vice-versa. But in ECPS, one cannot check whether 
an argument outputs something without also causing the output observation, 
and so the formula is never satisfied. 

However, ~ could be inhabited if we extended ECPS to allow A-abstraction 
over the symbols in the effect context X, and allowed such symbols to be captured 
during substitution (dynamic scoping). Consider the following example in an 
imaginary extended ECPS where we abstract over output: 


h = X(anat, k:()R). case x of {zero => output(1,k), succ(y) > 
case y of {zero => output(0,k), succ(z) > k ()}} 
v = Af:()R. ((Aoutput:(nat, ()—>R)>R. (f ())) h). 
The idea is that during reduction of (v f), the output operations in f are captured 
by Aoutput. Thus, output(0) operations from (f ()) are replaced by output(1) 
and vice-versa, and all other writes are skipped; so in particular v =p w. This 
behaviour is similar to that of effect handlers [36]: computation (f ()) is being 


handled by handler h. We leave for future work the study of handlers in ECPS 
and of their corresponding logic. 


6 Concluding Remarks 


To summarize, we have studied program equivalence for a higher-order CPS lan- 
guage with general algebraic effects and general recursion (Sect.2). Our main 
contribution is a logic F of program properties (Sect.3) whose induced pro- 
gram equivalence coincides with contextual equivalence (Theorem 1; Sect. 4). 
Previous work on algebraic effects concentrated on logics that are sound for con- 
textual equivalence, but not complete [35,38]. Moreover, F-logical equivalence 
also coincides with applicative bisimilarity for our language. We exemplified our 
results for nondeterminism, probabilistic choice, global store and I/O. A next 
step would be to consider local effects (e.g. [22,33,37,39]) or normal form bisim- 
ulation (e.g. [6]). 
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Abstract. This paper proposes a new category theoretic account of 
equationally axiomatizable classes of algebras. Our approach is well- 
suited for the treatment of algebras equipped with additional compu- 
tationally relevant structure, such as ordered algebras, continuous alge- 
bras, quantitative algebras, nominal algebras, or profinite algebras. Our 
main contributions are a generic HSP theorem and a sound and com- 
plete equational logic, which are shown to encompass numerous flavors 
of equational axiomizations studied in the literature. 


1 Introduction 


A key tool in the algebraic theory of data structures is their specification by 
operations (constructors) and equations that they ought to satisfy. Hence, the 
study of models of equational specifications has been of long standing interest 
both in mathematics and computer science. The seminal result in this field is 
Birkhoff’s celebrated HSP theorem [7]. It states that a class of algebras over a 
signature X is a variety (i.e. closed under homomorphic images, subalgebras, and 
products) iff it is axiomatizable by equations s = t between X-terms. Birkhoff 
also introduced a complete deduction system for reasoning about equations. 

In algebraic approaches to the semantics of programming languages and 
computational effects, it is often natural to study algebras whose underlying 
sets are equipped with additional computationally relevant structure and whose 
operations preserve that structure. An important line of research thus concerns 
extensions of Birkhoff’s theory of equational axiomatization beyond ordinary X- 
algebras. On the syntactic level, this requires to enrich Birkhoff’s notion of an 
equation in ways that reflect the extra structure. Let us mention a few examples: 


(1) Ordered algebras (given by a poset and monotone operations) and continuous 
algebras (given by a complete partial order and continuous operations) were 
identified by the ADJ group [14] as an important tool in denotational seman- 
tics. Subsequently, Bloom [8] and Adámek, Nelson, and Reiterman [2,3] 
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established ordered versions of the HSP theorem along with complete deduc- 
tion systems. Here, the role of equations s = t is taken over by inequations 
S<t. 

(2) Quantitative algebras (given by an extended metric space and nonexpansive 
operations) naturally arise as semantic domains in the theory of probabilis- 
tic computation. In recent work, Mardare, Panangaden, and Plotkin [18,19] 
presented an HSP theorem for quantitative algebras and a complete deduc- 
tion system. In the quantitative setting, equations s =, t are equipped 
with a non-negative real number e, interpreted as “s and t have distance at 
most £”. 

(3) Nominal algebras (given by a nominal set and equivariant operations) are 
used in the theory of name binding [24] and have proven useful for charac- 
terizing logics for data languages [9,11]. Varieties of nominal algebras were 
studied by Gabbay [13] and Kurz and Petrigan [16]. Here, the appropriate 
syntactic concept involves equations s = t with constraints on the support 
of their variables. 

(4) Profinite algebras (given by a profinite topological space and continuous 
operations) play a central role in the algebraic theory of formal languages 
[22]. They serve as a technical tool in the investigation of pseudovarieties 
(i.e. classes of finite algebras closed under homomorphic images, subalge- 
bras, and finite products). As shown by Reiterman [25] and Eilenberg and 
Schiitzenberger [12], pseudovarieties can be axiomatized by profinite equa- 
tions (formed over free profinite algebras) or, equivalently, by sequences of 
ordinary equations (s; = t;);<w, interpreted as “all but finitely many of the 
equations s; = t; hold”. 


The present paper proposes a general category theoretic framework that allows 
to study classes of algebras with extra structure in a systematic way. Our overall 
goal is to isolate the domain-specific part of any theory of equational axiom- 
atization from its generic core. Our framework is parametric in the following 
data: 


— a category & with a factorization system (£, M); 
— a full subcategory æ% C £; 

— a class A of cardinal numbers; 

—aclass 2 C o& of objects. 


Here, & is the category of algebras under consideration (e.g. ordered algebras, 
quantitative algebras, nominal algebras). Varieties are formed within , and 
the cardinal numbers in A determine the arities of products under which the 
varieties are closed. Thus, the choice æ% = finite algebras and A = finite cardinals 
corresponds to pseudovarieties, and æ% = & and A=all cardinals to varieties. 
The crucial ingredient of our setting is the parameter 2%, which is the class of 
objects over which equations are formed; thus, typically, 2 is chosen to be some 
class of freely generated algebras in æ. Equations are modeled as €-quotients 
e: X —> E (more generally, filters of such quotients) with domain X € X. 

The choice of 2 reflects the desired expressivity of equations in a given set- 
ting. Furthermore, it determines the type of quotients under which equationally 
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axiomatizable classes are closed. More precisely, in our general framework a vari- 
ety is defined to be a subclass of — closed under € 9--quotients, M-subobjects, 
and A-products, where Ey is a subclass of € derived from .%. Due to its para- 
metric nature, this concept of a variety is widely applicable and turns out to 
specialize to many interesting cases. The main result of our paper is the 


General HSP Theorem. A subclass of &% forms a variety if and only if it is 
axiomatizable by equations. 


In addition, we introduce a generic deduction system for equations, based on 
two simple proof rules (see Sect. 4), and establish a 


General Completeness Theorem. The generic deduction system for equa- 
tions is sound and complete. 


The above two theorems can be seen as the generic building blocks of the model 
theory of algebras with structure. They form the common core of numerous 
Birkhoff-type results and give rise to a systematic recipe for deriving concrete 
HSP and completeness theorems in settings such as (1)—(4). In fact, all that needs 
to be done is to translate our abstract notion of equation and equational deduc- 
tion, which involves (filters of) quotients, into an appropriate syntactic concept. 
This is the domain-specific task to fulfill, and usually amounts to identifying 
an “exactness” property for the category æ. Subsequently, one can apply our 
general results to obtain HSP and completeness theorems for the type of alge- 
bras under consideration. Several instances of this approach are shown in Sect. 5. 
Omitted proofs and details for the examples can be found in [20]. 


Related work. Generic approaches to universal algebra have a long tradition in 
category theory. They aim to replace syntactic notions like terms and equations 
by suitable categorical abstractions, most prominently Lawvere theories and 
monads [4,17]. Our present work draws much of its inspiration from the classical 
paper of Banaschewski and Herrlich [6] on HSP classes in (£, M)-structured cat- 
egories. These authors were the first to model equations as quotients e: X — E. 
However, their approach does not feature the parameter 2 and assumes that 
equations are formed over €-projective objects X. This limits the scope of their 
results to categories with enough projectives, a property that typically fails in cat- 
egories of algebras with structure (including continuous, quantitative or nominal 
algebras). The identification of the parameter 2% and of the derived parameter 
Eg as a key concept is thus a crucial step towards a categorical view of such 
structures. 

Equational logics on the level of abstraction of Banaschewski and Herrlich’s 
work were studied by Roşu [26,27] and Adámek, Hébert, and Sousa [1]. These 
authors work under assumptions on the category & different from our framework, 
e.g. they require existence of pushouts. Hence, the proof rules and completeness 
results in loc. cit. are not directly comparable to our approach in Sect. 4. 

In the present paper, we model equations as filters of quotients rather than 
single quotients, which allows us to encompass several HSP theorems for finite 
algebras [12,23,25]. The first categorical generalization of such results was given 
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by Adámek, Chen, Milius, and Urbat [10,29] who considered algebras for a 
monad T on an algebraic category and modeled equations as filters of finite 
quotients of free T-algebras (equivalently, as profinite quotients of free profinite 
T-algebras). This idea was generalized by Salamanca [28] to monads on concrete 
categories. However, again, this work only applies to categories with enough 
projectives. 


2 Preliminaries 


We start by recalling some notions from category theory. A factorization system 
(£, M) in a category & consists of two classes E, M of morphisms in & such that 
(1) both € and M contain all isomorphisms and are closed under composition, 
(2) every morphism f has a factorization f = m -e with e € E and m € M, and 
(3) the diagonal fill-in property holds: for every commutative square g-e = m- f 
with e € E and m € M, there exists a unique d with m-d = g and d-e = f. The 
morphisms m and e in (2) are unique up to isomorphism and are called the image 
and coimage of f, resp. The factorization system is proper if all morphisms in E 
are epic and all morphisms in M are monic. From now on, we will assume that 
æ is a category equipped with a proper factorization system (€,M). Quotients 
and subobjects in & are taken with respect to E and M. That is, a quotient of 
an object X is represented by a morphism e: X —> E in E and a subobject by 
a morphism m: M >=> X in M. The quotients of X are ordered by e < e’ iff e’ 
factorizes through e, i.e. there exists a morphism h with e’ = h - e. Identifying 
quotients e and e’ which are isomorphic (i.e. e < e’ and e’ < e), this makes the 
quotients of X a partially ordered class. Given a full subcategory æ% C & we 
denote by X {.% the class of all quotients of X represented by €-morphisms with 
codomain in —. The category & is €-co-wellpowered if for every object X € & 
there is only a set of quotients with domain X. In particular, X{.% is then a 
poset. Finally, an object X € æ is called projective w.r.t. a morphism e: A > B 
if for every h: X — B, there exists a morphism g: X —> A with h=e-g. 


3 The Generalized Variety Theorem 


In this section, we introduce our categorical notions of equation and variety, and 
derive the HSP theorem. Fix a category & with a proper factorization system 
(E,M), a full subcategory æ% C &, a class A of cardinal numbers, and a class 
X C æ of objects. An object of & is called X -generated if it is a quotient of 
some object in 2. A key role will be played by the subclass Eg C E defined by 


Ex ={eEE: every X € & is projective w.r.t. e}. 


Note that 2 C 2” implies Eg C Eg. The choice of Z is a trade-off between 
“having enough equations” (that is, 2 needs to be rich enough to make equations 
sufficiently expressive) and “having enough projectives” (cf. (3) below). 


Assumptions 3.1. Our data is required to satisfy the following properties: 
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(1) & has A-products, i.e. for every À € A and every family (A;);<, of objects 
in æ, the product [],—~) A; exists. 

(2) @ is closed under isomorphisms, A-products and -generated subobjects. 
The last statement means that for every subobject m: A — B in M where 
B € @ and Ais &-generated, one has A € GH. 

(3) Every object of æ% is an Eg -quotient of some object of 2’, that is, for every 
object A E€ æ% there exists some e: X —> Ain Eg with domain X € X. 


Example 3.2. Throughout this section, we will use the following three running 
examples to illustrate our concepts. For further applications, see Sect. 5. 


(1) Classical X-algebras. The setting of Birkhoff’s seminal work [7] in general 

algebra is that of algebras for a signature. Recall that a (finitary) signature 

is a set X of operation symbols each with a prescribed finite arity, and a X- 

algebra is a set A equipped with operations o: A” — A for each n-ary o € X. 

A morphism of X-algebras (or a 3’-homomorphism) is a map preserving all 

X-operations. The forgetful functor from the category Alg() of X-algebras 

and X-homomorphisms to Set has a left adjoint assigning to each set X the 

free X-algebra Ts X, carried by the set of all X-terms in variables from X. 

To treat Birkhoff’s results in our categorical setting, we choose the following 

parameters: 

- of = hy = Alg(5); 

— (E, M) = (surjective morphisms, injective morphisms); 

— A=all cardinal numbers; 

— X =all free X-algebras Ty X with X € Set. 

One easily verifies that Ey consists of all surjective morphisms, that is, 

Ex =E. 

Finite X-algebras. Eilenberg and Schiitzenberger [12] considered classes of 

finite X-algebras, where X is assumed to be a signature with only finitely 

many operation symbols. In our framework, this amounts to choosing 

- &@ = Alg(X) and æ% = Alg;(X), the full subcategory of finite X- 
algebras; 

— (E, M) = (surjective morphisms, injective morphisms); 

— A=all finite cardinal numbers; 

— K =all free X-algebras Ty X with X E Setr. 

As in (1), the class Eg consists of all surjective morphisms. 

Quantitative X’-algebras. In recent work, Mardare, Panangaden, and Plotkin 

[18,19] extended Birkhoff’s theory to algebras endowed with a metric. Recall 

that an extended metric space is a set A with a map da: A x A = (0, co] 

(assigning to any two points a possibly infinite distance), subject to the 

axioms (i) d,(a, b) = 0 iff a = b, (ii) da(a,b) = da(b,a), and (iii) da(a,c) < 

da(a,b) + da(b,c) for all a,b,c E A. A map h: A > B between extended 

metric spaces is nonexpansive if dg(h(a),h(a’)) < da(a,a’) for a,a’ € A. 

Let Met, denote the category of extended metric spaces and nonexpansive 

maps. Fix a, not necessarily finitary, signature X, that is, the arity of an 

operation symbol ø € X is any cardinal number. A quantitative 3'-algebra 


a, 
N 
a 


— 
w 
ee 
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is a X-algebra A endowed with an extended metric da such that all X- 
operations g: A” — A are nonexpansive. Here, the product A” is equipped 
with the sup-metric d4n((a;)icn; (bi)ien) = SUPjen dalai, bi). The forgetful 
functor from the category QAlg(’) of quantitative X-algebras and nonex- 
pansive -homomorphisms to Met. has a left adjoint assigning to each 
space X the free quantitative X-algebra TX. The latter is carried by the 
set of all X-terms (equivalently, well-founded X-trees) over X, with met- 
ric inherited from X as follows: if s and t are X-terms of the same shape, 
i.e. they differ only in the variables, their distance is the supremum of the 
distances of the variables in corresponding positions of s and t; otherwise, 
it is Oo. 

We aim to derive the HSP theorem for quantitative algebras proved by 
Mardare et al. as an instance of our general results. The theorem is para- 
metric in a regular cardinal number c > 1. In the following, an extended 
metric space is called c-clustered if it is a coproduct of spaces of size < c. 
Note that coproducts in Met are formed on the level of underlying sets. 
Choose the parameters 
- of = Gy = QAlg( 5); 

— (E€, M) given by morphisms carried by surjections and subspaces, resp.; 
— A=all cardinal numbers; 

— 2 =all free algebras Ty X with X € Met a c-clustered space. 

One can verify that a quotient e: A —> B belongs to Ey if and only if 
for each subset Bo C B of cardinality < c there exists a subset Ap C A 
such that e[Ao] = Bo and the restriction e: Ag — Bo is isometric (that 
is, dg(e(a), e(a’)) = da(a,a’) for a,a’ € Ag). Following the terminology of 
Mardare et al., such a quotient is called c-reflexive. Note that for c = 2 every 
quotient is c-reflexive, so Egy = E. If c is infinite, Ey is a proper subclass 
of E. 


Definition 3.3. An equation over X € X is a class Jx C XH that is 


(1) A-codirected: every subset F C Jx with |F| € A has a lower bound in F; 
(2) closed under Ey -quotients: for every e: X  E in Jx and q: E —> E’ in 
Ex with E’ € æ, one has q-e € Jy. 


An object A € & satisfies the equation Jy if every morphism h: X — A 
factorizes through some e € Jy. In this case, we write 


AE Jx. 


Remark 3.4. In many of our applications, one can simplify the above definition 
and replace classes of quotients by single quotients. Specifically, if <& is E-co- 
wellpowered (so that every equation is a set, not a class) and A=all cardinal 
numbers, then every equation Jx C Xæ% contains a least element ex: X —> 
Ex, viz. the lower bound of all elements in Jx. Then an object A satisfies 
Jy iff it satisfies ex, in the sense that every morphism h: X — A factorizes 
through ex. Therefore, in this case, one may equivalently define an equation to 
be a morphism ex: X > Ex with X € X. This is the concept of equation 
investigated by Banaschewski and Herrlich [6]. 
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Example 3.5. In our running examples, we obtain the following concepts: 


(1) Classical X-algebras. By Remark 3.4, an equation corresponds to a quotient 
ex: TyX — Ex in Alg(2), where X is a set of variables. 

(2) Finite X-algebras. An equation Jx over a finite set X is precisely a filter 
(i.e. a codirected and upwards closed subset) in the poset Ty X {Alg,(2). 

(3) Quantitative X-algebras. By Remark 3.4, an equation can be presented as a 
quotient ex: Ty X —> Ex in QAlg(), where X is a c-clustered space. 


We shall demonstrate in Sect. 5 how to interpret the above abstract notions of 
equations, i.e. (filters of) quotients of free algebras, in terms of concrete syntax. 


Definition 3.6. A variety is a full subcategory V C closed under Egy- 
quotients, subobjects, and A-products. More precisely, 


(1) for every Ey -quotient e : A > B in æ% with A E€ V one has B € V, 

(2) for every M-morphism m : A — B in æ% with B € V one has A € V, and 
(3) for every family of objects A; (i < A) in V with A € A one has [J,;-, Ai € V. 
Example 3.7. In our examples, we obtain the following notions of varieties: 


(1) Classical X-algebras. A variety of X-algebras is a class of X-algebras closed 
under quotient algebras, subalgebras, and products. This is Birkhoff’s orig- 
inal concept [7]. 

(2) Finite X-algebras. A pseudovariety of X-algebras is a class of finite X- 
algebras closed under quotient algebras, subalgebras, and finite products. 
This concept was studied by Eilenberg and Schiitzenberger [12]. 

(3) Quantitative 7-algebras. For any regular cardinal number c > 1, a c-variety 
of quantitative X'-algebras is a class of quantitative X-algebras closed under 
c-reflexive quotients, subalgebras, and products. This notion of a variety was 
introduced by Mardare et al. [19]. 


Construction 3.8. Given a class E of equations, put 


V(E) = {A € m:AE Jx for each Jy € E}. 


A subclass V C æ% is called equationally presentable if V = V(E) for some E 


We aim to show that varieties coincide with the equationally presentable classes 
(see Theorem 3.16 below). The “easy” part of the correspondence is established 
by the following lemma, which is proved by a straightforward verification. 


Lemma 3.9. For every class E of equations, V(E) is a variety. 


As a technical tool for establishing the general HSP theorem and the correspond- 
ing sound and complete equational logic, we introduce the following concept: 


Definition 3.10. An equational theory is a family of equations 


I = (Ix CX) xex 
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with the following two properties (illustrated by the diagrams below): 


(1) Substitution invariance. For every morphism h: X — Y with X,Y € X 
and every ey: Y —> Ey in Jy, the coimage ex: X — Ex of ey -h lies in 
Ty. 

(2) Ex -completeness. For every Y € X and every quotient e: Y > Ey in Fy, 
there exists an X € X and a quotient ex: X > Ex in Jx NEw with 
Ex = Ey. 


xY X Y 
e| ver dex ver 
Ex>—> Ey Ex == Ey 


Remark 3.11. In many settings, the slightly technical concept of an equational 
theory can be simplified. First, note that Eg -completeness is trivially satisfied 
whenever Eg = E. If, additionally, every equation contains a least element 
(e.g. in the setting of Remark3.4), an equational theory corresponds exactly 
to a family of quotients (ex: X > Ex)xeg such that Ex E€ æ% forall XE 2, 
and for every h: X — Y with X,Y € X the morphism ey - h factorizes through 
ex. 


Example 3.12 (Classical X-algebras). Recall that a congruence on a X- 
algebra A is an equivalence relation = C A x A that forms a subalgebra of 
A x A. It is well-known that there is an isomorphism of complete lattices 


quotient algebras of A = congruences on A (3.1) 
assigning to a quotient e: A —> B its kernel, given by a =e a’ iff e(a) = e(a’). 
Consequently, in the setting of Example 3.2(1), an equational theory — presented 
as a family of single quotients as in Remark 3.11 — corresponds precisely to a 


family of congruences (=x C TyX x TyX)xeset closed under substitution, 
that is, for every s,t € TyX and every morphism h: Ty X > TsY in Alg( X), 


s=xt implies h(s) =y h(t). 


We saw in Lemma3.9 that every class of equations, so in particular every 
equational theory 7, yields a variety V( 7) consisting of all objects of æ% that 
satisfy every equation in J. Conversely, to every variety one can associate an 
equational theory as follows: 


Construction 3.13. Given a variety V, form the family of equations 
T(V) = (Ix CXLH)xex, 
where Jx consists of all quotients ex: X > Ex with codomain Ex € V. 


Lemma 3.14. For every variety V, the family I (V) is an equational theory. 
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We are ready to state the first main result of our paper, the HSP Theorem. Given 
two equations Jy and Jy over X € X, we put Jx < Jẹ if every quotient in 
J% factorizes through some quotient in Jy. Theories form a poset with respect 
to the order FY < F' iff Ixy < Fy for all X € X. Similarly, varieties form a 
poset (in fact, a complete lattice) ordered by inclusion. 


Theorem 3.15 (HSP Theorem). The complete lattices of equational theories 
and varieties are dually isomorphic. The isomorphism is given by 


V= FV) and Z= V(I). 


One can recast the HSP Theorem into a more familiar form, using equations in 
lieu of equational theories: 


Theorem 3.16 (HSP Theorem, equational version). A class V C æ% is 
equationally presentable if and only if it forms a variety. 


Proof. By Lemma 3.9, every equationally presentable class V(E) is a variety. Con- 
versely, for every variety V one has V = V(I (V)) by Theorem 3.15, so V is 
presented by the equations E = {7y : X € 2} where 7 = J (V). 


4 Equational Logic 


The correspondence between theories and varieties gives rise to the second main 
result of our paper, a generic sound and complete deduction system for reasoning 
about equations. The corresponding semantic concept is the following: 


Definition 4.1. An equation Jy C X{@% semantically entails the equation 


FY C Yæ if every -object satisfying Jx also satisfies Jj (that is, if 
V(Fx) CV(F)). In this case, we write Zy = F. 


The key to our proof system is a categorical formulation of term substitution: 


Definition 4.2. Let Zx C X{% be an equation over X € X. The substitution 
closure of Fy is the smallest theory J =(Zy)yew such that Fx < I x. 


The substitution closure of an equation can be computed as follows: 
Lemma 4.3. For every equation Zx C X}æ% one has F = F(V(Fx)). 


The deduction system for semantic entailment consists of two proof rules: 


(Weakening) Zx + J% for all equations Jy < Jx over X € X. 
(Substitution) Zy + Zy for all equations Zy over X € X and al Y € Z. 


Given equations Jx and Y over X and Y, respectively, we write Jy + F if 
Ty arises from Zy by a finite chain of applications of the above rules. 


Theorem 4.4 (Completeness Theorem). The deduction system for seman- 
tic entailment is sound and complete: for every pair of equations Zx and F4, 


Tei Ke iff Int KH. 
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5 Applications 


In this section, we present some of the applications of our categorical results 
(see [20] for full details). Transferring the general HSP theorem of Sect.3 into a 
concrete setting requires to perform the following four-step procedure: 


Step 1. Instantiate the parameters æ% , (€,M), %, A and X of our categor- 
ical framework, and characterize the quotients in Eg. 

Step 2. Establish an exactness property for the category /, i.e. a corre- 
spondence between quotients e: A > B in & and suitable relations between 
elements of A. 

Step 3. Infer a suitable syntactic notion of equation, and prove it to be 
expressively equivalent to the categorical notion of equation given by Defini- 
tion 3.3. 

Step 4. Invoke Theorem 3.15 to deduce an HSP theorem. 


The details of Steps 2 and 3 are application-specific, but typically straightfor- 
ward. In each case, the bulk of the usual work required for establishing the HSP 
theorem is moved to our general categorical results and thus comes for free. 

Similarly, to obtain a complete deduction system in a concrete application, it 
suffices to phrase the two proof rules of our generic equational logic in syntactic 
terms, using the correspondence of quotients and relations from Step 2; then 
Theorem 4.4 gives the completeness result. 


5.1 Classical X-Algebras 
The classical Birkhoff theorem emerges from our general results as follows. 


Step 1. Choose the parameters of Example 3.2(1), and recall that Eg = E. 
Step 2. The exactness property of Alg(2’) is given by the correspondence 
(3.1). 

Step 3. Recall from Example 3.5(1) that equations can be presented as single 
quotients e: Ty X —> Ex. The exactness property (3.1) leads to the following 
classical syntactic concept: a term equation over a set X of variables is a pair 
(s,t) € Ty X x Ty X, denoted as s = t. It is satisfied by a X-algebra A if for 
every map h: X — A we have h#(s) = hë (t). Here, ht: Ts X — A denotes the 
unique extension of h to a X-homomorphism. Equations and term equations 
are expressively equivalent in the following sense: 

(1) For every equation e: Ty X —> Ex, the kernel =e C Ty X x Ty X is a set 
of term equations equivalent to e, that is, a X-algebra satisfies the equa- 
tion e iff it satisfies all term equations in =e. This follows immediately 
from (3.1). 

(2) Conversely, given a term equation (s,t) € Ts X xTsX, form the smallest 
congruence = on Ty X with s = t (viz. the intersection of all such con- 
gruences) and let e: Ts X —> Ex be the corresponding quotient. Then 
a X-algebra satisfies s = t iff it satisfies e. Again, this is a consequence 
of (3.1). 
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Step 4. From Theorem 3.16 and Example3.7(1), we deduce the classical 


Theorem 5.1 (Birkhoff [7]). A class of X’-algebras is a variety (i.e. closed 
under quotients, subalgebras, products) iff it is axiomatizable by term equations. 


Similarly, one can obtain Birkhoff’s complete deduction system for term equa- 
tions as an instance of Theorem 4.4; see [20, Section B.1] for details. 


5.2 Finite X-Algebras 


Next, we derive Eilenberg and Schützenberger’s equational characterization of 
pseudovarieties of algebras over a finite signature X using our four-step plan: 


Step 1. Choose the parameters of Example 3.2(2), and recall that Eg = E. 
Step 2. The exactness property of Alg(X) is given by (3.1). 

Step 3. By Example 3.2(2), an equational theory is given by a family of filters 
In C Tgn} Alg;(X) (n < w). The corresponding syntactic concept involves 
sequences (s; = t;);<, of term equations. We say that a finite X-algebra A 
eventually satisfies such a sequence if there exists ig < w such that A satisfies 
all equations s; = t; with i > i9. Equational theories and sequences of term 


equations are expressively equivalent: 
(1) Let F = (%)n<w be a theory. Since X is a finite signature, for each 


finite quotient e: Tgn — E the kernel =, is a finitely generated con- 
gruence |12, Prop. 2]. Consequently, for each n < w the algebra Tyn 
has only countably many finite quotients. In particular, the codirected 
poset J, is countable, so it contains an w°?-chain ef > e? > ef >- 
that is cofinal, i.e., each e € %, is above some e. The e? can be cho- 
sen in such a way that, for each m > n and q: m —> n, the morphism 
e? - Tsq factorizes through e”. For each n < w, choose a finite subset 
Wn C Tsn x Tyn generating the kernel of e”. Let (si = ti)icy bea 
sequence of term equations where (s;,t;) ranges over U,,<,, Wn. One 
can verify that a finite X-algebra lies in V(.7) iff it eventually satisfies 
(35 = Ticw- 

(2) Conversely, given a sequence of term equations (si = ti)icw with 
(si, ti) € Tym,;xTsmj;, form the theory F = (%,)new where J, consists 
of all finite quotients e: Tsn —> E with the following property: 


Jio < w : Vi > io : Vig: Tom; > Tyn) : e- g(si) =e: g(ti). 


Then a finite X-algebra eventually satisfies (s; = t;);<, iff it lies in 
V(Z). 

Step 4. The theory version of our HSP theorem (Theorem 3.16) now implies: 
Theorem 5.2 (Eilenberg-Schiitzenberger [12]). A class of finite X’-algebras 
is a pseudovariety (i.e. closed under quotients, subalgebras, and finite products) 
iff it is axtomatizable by a sequence of term equations. 


In an alternative characterization of pseudovarieties due to Reiterman [25], where 
the restriction to finite signatures X can be dropped, sequences of term equations 
are replaced by the topological concept of a profinite equation. This result can 
also be derived from our general HSP theorem, see [20, Section B.4]. 
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5.3 Quantitative Algebras 
In this section, we derive an HSP theorem for quantitative algebras. 


Step 1. Choose the parameters of Example 3.2(3). Recall that we work with 
fixed regular cardinal c > 1 and that Ey consists of all c-reflexive quotients. 
Step 2. To state the exactness property of QAlg(X), recall that an (extended) 
pseudometric on a set A is a map p: Ax A — (0, co] satisfying all axioms of an 
extended metric except possibly the implication p(a,b) = 0 > a = b. Given 
a quantitative X-algebra A, a pseudometric p on A is called a congruence if 
(i) p(a,a’) < da(a,a’) for all a,a’ € A, and (ii) every operation o: A” > 
A (o € X) is nonexpansive w.r.t. p. Congruences are ordered by p < q iff 
p(a,a’) < q(a,a’) for all a,a’ € A. There is a dual isomorphism of complete 
lattices 


~N 


quotient algebras of A = congruences on A (5.1) 


mapping e: A — B to the congruence pe on A given by pela,b) = 
dp(e(a), e(b)). 

Step 3. By Example3.5(3), equations can be presented as single quotients 
e: Ty X —» E, where X is a cclustered space. The exactness property (5.1) 
suggests to replace equations by the following syntactic concept. A c-clustered 
equation over the set X of variables is an expression 


Ui =e, yi (EI) F s=t (5.2) 


where (i) J isa set, (ii) z;, y; € X for alli € J, (iii) s and t are X-terms over X, 
(iv) €:,€ € [0, oo], and (v) the equivalence relation on X generated by the pairs 
(xi yi) (i € I) has all equivalence classes of cardinality < c. In other words, 
the set of variables can be partitioned into subsets of size < c such that only 
relations between variables in the same subset appear on the left-hand side of 
(5.2). A quantitative X-algebra A satisfies (5.2) if for every map h: X > A 
with d4(h(2;),h(y:)) < e for all i € I, one has da(h*(s), h#(t)) < e. Here 
hË: Ty.X — A denotes the unique 5-homomorphism extending h. 


Equations and c-clustered equations are expressively equivalent: 
(1) Let X be a cclustered space, i.e. X = [],.,X; with |X;| < c. Every 


jer Os 

equation e: Ty X —» E induces a set of c-clustered equations over X 
given by 

T =e, y Y (J E J, uy E Xj) F 8 =e, t (8,t € T5X), (5.3) 


with €s = dx(x,y) and e,4 = dp(e(s),e(t)). It is not difficult to show 
that e and (5.3) are equivalent: an algebra satisfies e iff it satisfies all 
equations (5.3). 

(2) Conversely, to every c-clustered equation (5.2) over a set X of variables, 
we associate an equation in two steps: 

— Let p the largest pseudometric on X with p(x, yi) < £; for all i 
(that is, the pointwise supremum of all such pseudometrics). Form 
the corresponding quotient ep: X > Xp, see (5.1). It is easy to see 
that Xp is c-clustered. 
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— Let q be the largest congruence on Ty(X,) with q(Tsep(s), Ts 
ep(t)) < £ (that is, the pointwise supremum of all such congruences). 
Form the corresponding quotient eg: Ts(Xp) > Ej. 
A routine verification shows that (5.2) and e, are expressively equivalent, 
i.e. satisfied by the same quantitative X-algebras. 
Step 4. From Theorem 3.16 and Example 3.7(3), we deduce the following 


Theorem 5.3 (Quantitative HSP Theorem). A class of quantitative X- 
algebras is a c-variety (i.e. closed under c-reflexive quotients, subalgebras, and 
products) iff it is axiomatizable by c-clustered equations. 


The above theorem generalizes a recent result of Mardare, Panangaden, and 
Plotkin [19] who considered only signatures X with operations of finite or count- 
ably infinite arity and cardinal numbers c < N1. Theorem 5.3 holds without any 
restrictions on X and c. In addition to the quantitative HSP theorem, one can 
also derive the completeness of quantitative equational logic [18] from our general 
completeness theorem, see [20, Section B.5] for details. 


5.4 Nominal Algebras 


In this section, we derive an HSP theorem for algebras in the category Nom of 
nominal sets and equivariant maps; see Pitts [24] for the required terminology. 
We denote by A the countably infinite set of atoms, by Perm(A) the group of 
finite permutations of A, and by suppy(x) the least support of an element x of 
a nominal set X. Recall that X is strong if, for all x € X and 7 € Perm(A), 


[Va € suppx(z):a(a)=a] =| m- tsr. 
A supported set is a set X equipped with a map supp, : X — P(A). A morphism 
f: X — Y of supported sets is a function with suppy(f(x)) C suppx(z) for all 
x € X. Every nominal set X is a supported set w.r.t. its least-support map supp x. 
The following lemma, whose first part is a reformulation of [21, Prop. 5.10], gives 
a useful description of strong nominal sets in terms of supported sets. 


Lemma 5.4. The forgetful functor from Nom to SuppSet has a left adjoint 
F: SuppSet — Nom. The nominal sets of the form FY (Y € SuppSet) are 
up to isomorphism exactly the strong nominal sets. 


Fix a finitary signature X. A nominal »’-algebra is a X-algebra A carrying the 
structure of a nominal set such that all X-operations 0: A” — A are equivariant. 
The forgetful functor from the category NomAlg() of nominal »-algebras 
and equivariant X-homomorphisms to Nom has a left adjoint assigning to each 
nominal set X the free nominal X-algebra Ty X, carried by the set of X-terms 
and with group action inherited from X. To derive a nominal HSP theorem from 
our general categorical results, we proceed as follows. 
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Step 1. Choose the parameters of our setting as follows: 

- A = & = NomAlg(+); 

— (E, M) = (surjective morphisms, injective morphisms); 

— A=all cardinal numbers; 

- X ={TsX : X is a strong nominal set}. 
One can show that a quotient e: A > B belongs to Eg iff it is support- 
reflecting: for every b € B there exists a € A with e(a) = b and supp,(a) = 
supp (0). 
Step 2. A nominal congruence on a nominal X-algebra A is a X-algebra 
congruence = C A x A that forms an equivariant subset of A x A. In analogy 
to (3.1), there is an isomorphism of complete lattices 


quotient algebras of A = nominal congruences on A. (5.4) 


Step 3. By Remark3.4, an equation can be presented as a single quotient 
e: Ty X — E, where X is a strong nominal set. Equations can be described 
by syntactic means as follows. A nominal X-term over a set Y of variables 
is an element of Ty(Perm(A) x Y). Every map h: Y — A into a nominal 
»/-algebra A extends to the homomorphism 


Ty (Perm(A) xh) 
—, 


h = (Ts (Perm(A) x Y) Ts,(Perm(A) x A) 22", TA i, A) 


where id’ is the unique »/-homomorphism extending the identity map 
id: A— A. A nominal equation over Y is an expression of the form 


suppy + s=t, (5.5) 


where suppy: Y — P(A) is a function and s and t are nominal X-terms 
over Y. A nominal X-algebra A satisfies the equation suppy | s = t if for 
every map h: Y — A with supp,(h(y)) C suppy(y) for all y € Y one has 
h(s) = h(t). Equations and nominal equations are expressively equivalent: 

(1) Given an equation e: Ty X — E with X a strong nominal set, choose 
a supported set Y with X = FY, and denote by ny: Y — FY the 
universal map (see Lemma5.4). Form the nominal equations over Y 
given by 
suppy F s=t (s,t € Ts(Perm(A) x Y) ande-Tsm(s) =e-Tsm(t)) (5.6) 

i $ Perm(A)xny a 
where m is the composite Perm(A) x Y ——————> Perm(A) x X —=> 
X. It is not difficult to see that a nominal X-algebra satisfies e iff it 
satisfies (5.6). 

(2) Conversely, given a nominal equation (5.5) over the set Y, let X = FY 
and form the nominal congruence on TyX generated by the pair 
(Tsm(s), Tsm(t)), with m defined as above. Let e: Ts X —> E be the cor- 
responding quotient, see (5.4). One can show that a nominal X-algebra 
satisfies e iff it satisfies (5.5). 

Step 4. We thus deduce the following result as an instance of Theorem 3.16: 
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Theorem 5.5 (Kurz and Petrigan [16]). A class of nominal X-algebras is a 
variety (i.e. closed under support-reflecting quotients, subalgebras, and products) 
iff it is axiomatizable by nominal equations. 


For brevity and simplicity, in this section we restricted ourselves to algebras for 
a signature. Kurz and Petrigan proved a more general HSP theorem for algebras 
over an endofunctor on Nom with a suitable finitary presentation. This extra 
generality allows to incorporate, for instance, algebras for binding signatures. 


5.5 Further Applications 


Let us briefly mention some additional instances of our framework, all of which 
are given a detailed treatment in the full arXiv paper [20]. 


Ordered Algebras. Bloom [8] proved an HSP theorem for X-algebras in the 
category of posets: a class of such algebras is closed under homomorphic images, 
subalgebras, and products, iff it is axiomatizable by inequations s < t between 
/-terms. This result can be derived much like the unordered case in Sect. 5.1. 


Continuous Algebras. A more intricate ordered version of Birkhoff’s theorem 
concerns continuous algebras, i.e. X-algebras with an w-cpo structure on their 
underlying set and continuous X-operations. Adámek, Nelson, and Reiterman [3] 
proved that a class of continuous algebras is closed under homomorphic images, 
subalgebras, and products, iff it axiomatizable by inequations between terms 
with formal suprema (e.g. a(x) < Vi<w Ci). This result again emerges as an 
instance of our general HSP theorem. A somewhat curious feature of this appli- 
cation is that the appropriate factorization system (€,M) takes as £ the class 
of dense morphisms, i.e. morphisms of € are not necessarily surjective. However, 
one has Ey =surjections, so homomorphic images are formed in the usual sense. 


Abstract HSP Theorems. Our results subsume several existing categorical 
generalizations of Birkhoff’s theorem. For instance, Theorem 3.15 yields Manes’ 
[17] correspondence between quotient monads T —> T’ and varieties of T-algebras 
for any monad T on Set. Similarly, Banaschewski and Herrlich’s [6] HSP theorem 
for objects in categories with enough projectives is a special case of Theorem 3.16. 


6 Conclusions and Future Work 


We have presented a categorical approach to the model theory of algebras with 
additional structure. Our framework applies to a broad range of different settings 
and greatly simplifies the derivation of HSP-type theorems and completeness 
results for equational deduction systems, as the generic part of such derivations 
now comes for free using our Theorems 3.15, 3.16 and 4.4. There remain a number 
of interesting directions and open questions for future work. 
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As shown in Sect.5, the key to arrive at a syntactic notion of equation lies 
in identifying a correspondence between quotients and suitable relations, which 
we informally coined “exactness”. The similarity of these correspondences in our 
applications suggests that there should be a (possibly enriched) notion of exact 
category that covers our examples; cf. Kurz and Velebil’s [15] 2-categorical view 
of ordered algebras. This would allow to move more work to the generic theory. 

Theorem 4.4 can be used to recover several known sound and complete equa- 
tional logics, but it also applies to settings where no such logic is known, for 
instance, a logic of profinite equations (however, cf. recent work of Almeida and 
Klima [5]). In each case, the challenge is to translate our two abstract proof rules 
into concrete syntax, which requires the identification of a syntactic equivalent of 
the two properties of an equational theory. While substitution invariance always 
translates into a syntactic substitution rule in a straightforward manner, Eg- 
completeness does not appear to have an obvious syntactic counterpart. In most 
of the cases where a concrete equational logic is known, this issue is obfuscated 
by the fact that one has Ey = E, so Eg -completeness becomes a trivial prop- 
erty. Finding a syntactic account of Ey -completeness remains an open problem. 
One notable case where Eg # E is the one of nominal algebras. Gabbay’s work 
[13] does provide an HSP theorem and a sound and complete equational logic 
in a setting slightly different from Sect.5.4, and it should be interesting to see 
whether this can be obtained as an instance of our framework. 

Finally, in previous work [29] we have introduced the notion of a profinite the- 
ory (aspecial case of the equational theories in the present paper) and shown how 
the dual concept can be used to derive Eilenberg-type correspondences between 
varieties of languages and pseudovarieties of finite algebras. Our present results 
pave the way to an extension of this method to new settings, such as nominal 
sets. Indeed, a simple modification of the parameters in Sect.5.4 yields a new 
HSP theorem for orbit-finite nominal /-algebras. We expect that a dualization 
of this result in the spirit of loc. cit. leads to a correspondence between varieties 
of data languages and varieties of orbit-finite nominal monoids, an important 
step towards an algebraic theory of data languages. 


Acknowledgement. The authors would like to thank Thorsten Wifmann for insight- 
ful discussions on nominal sets. 
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Abstract. We present a structural proof system, based on the machin- 
ery of hypersequent calculi, for a simple probabilistic modal logic under- 
lying very expressive probabilistic ji-calculi. We prove the soundness and 
completeness of the proof system with respect to an equational axioma- 
tisation and the fundamental cut-elimination theorem. 


1 Introduction 


Modal and temporal logics are formalisms designed to express properties of 
mathematical structures representing the behaviour of computing systems, such 
as, e.g., Kripke frames, trees and labeled transition systems. A fundamental 
problem regarding such logics is the equivalence problem: given two formulas ¢ 
and w, establish whether ¢ and w are semantically equivalent. For many tem- 
poral logics, including the basic modal logic K (see, e.g., [BdRV02]) and its 
many extensions such as the modal -calculus [Koz83], the equivalence problem 
is decidable and can be answered automatically. This is, of course, a very desir- 
able fact. However, a fully automatic approach is not always viable due to the 
high complexity of the algorithms involved. An alternative and complementary 
approach is to use human-aided proof systems for constructing formal proofs of 
the desired equalities. As a concrete example, the well-known equational axioms 
of Boolean algebras together with two axioms for the > modality: 


aL alll Olx V y) = Q(x) V Oly) 


can be used to construct formal proofs of all valid equalities between formu- 
las of modal logic using the familiar deductive rules of equational logic (see 
Definition 3). The simplicity of equational logic is a great feature of this kind of 
system but sometimes comes at a cost because even seemingly trivial equalities 
often require significant human ingenuity to be proved.! The problem lies in 


1 Example: the law of idempotence rV x = x can be derived from the standard axioms 
of Boolean algebras (i.e., complemented distributive lattices) as: rVa = («Vx)AT = 
(aVa)A(@V aa) =a2V(a@Arnr)=aVLl=a. 


The authors were supported by the French project ANR-16-CE25-0011 REPAS. 


© The Author(s) 2019 
M. Bojariczyk and A. Simpson (Eds.): FOSSACS 2019, LNCS 11425, pp. 418-435, 2019. 
https: //doi.org/10.1007/978-3-030-17127-8_24 


Towards a Structural Proof Theory of Probabilistic u-Calculi 419 


the transitivity rule (a = b & b = c = a = c) which requires to guess, among 
infinitely many possibilities, an interpolant formula b to prove the equality a = c. 

The field of structural proof theory (see [Bus98]), originated with the seminal 
work of Gentzen on his sequent calculus proof system LK for classical propo- 
sitional (first-order) logic [Gen34], investigates proof systems which, roughly 
speaking, require less human ingenuity. The key technical result regarding the 
sequent calculus, the cut-elimination theorem, implies that when searching for a 
proof of a statement, only certain formulas need to be considered: the so-called 
sub-formula property. This simplifies significantly, in practice, the proof search 
endeavour. The original system LK of Gentzen has been extensively investi- 
gated and generalised and, for example, it can be extended with rules for the 
© modality and becomes a convenient proof system for modal logic [Wan96]. 
Furthermore, it is possible to extend it with rules for dealing with (co)inductive 
definitions and it becomes a proof system for the modal p-calculus (see, e.g., 
[Stu07]). Research on the structural proof theory of the modal p-calculus is an 
active area of research (see, e.g., recent [Dou17]). 


Probabilistic Logics and the Riesz Modal Logic. Probabilistic logics are temporal 
logics specifically designed to express properties of mathematical structures (e.g., 
Markov chains and Markov decision processes) representing the behaviour of 
computing systems using probabilistic features such as random bit generation. 
Unlike the non-probabilistic case, the equivalence problem for most expressive 
probabilistic logics (e.g., pCTL [LS82,HJ94], see also [BK08, BBLM17]) is not 
known to be decidable. Hence, human-aided proof systems are currently the only 
viable approach to establish equalities of formulas of expressive probabilistic 
logics. To the best of our knowledge, however, all the proof systems proposed 
in the literature (see, e.g., [DFHM16] for the logic pCTL, [BGZBO09, Hsu17] for 
pRHL and [Koz85] for pPDL) are not entirely satisfactory because they include 
rules, such as the transitivity rule discussed above, violating the sub-formula 
property. 

Another line of work on probabilistic logics has focused on probabilistic u- 
calculi ((MM07,HK97, DGJP00, dA03,MS17, Miol1, Miol2a, Mio14]). These logi- 
cal formalisms are, similarly to Kozen’s modal p-calculus, obtained by extending 
a base real-valued modal logic with (co)inductively defined operators. Recently, 
in [MFM17], a base real-valued modal logic called Riesz modal logic (R) has been 
defined and a sound and complete equational axiomatisation has been obtained 
(see Definition 2). Importantly, the logic R extended with (co)inductively defined 
operators is sufficiently expressive to interpret most other probabilistic logics, 
including pCTL [Mio12b, Mio18, MS13a]. Hence, the Riesz modal logic appears 
to be a convenient base for developing the theory of probabilistic -calculi and, 
more generally, probabilistic logics. 


Contributions of This Work. This work is a first step towards the development of 
the structural proof theory of probabilistic u-calculi. We introduce a hypersequent 
calculus called MGA (read modal GA) for a version of the Riesz modal logic (the 
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scalar-free fragment, see Sect.2 for details) and by proving the cut-elimination 
theorem. Formally we prove: 


Theorem 1. The hypersequent calculus MGA is sound and complete with 
respect to the equational axioms of Fig. 1 and the CUT rule is eliminable. 


The machinery of hypersequent calculi has been introduced by Avron in 
[Avr87] and, independently, by Pottinger in [Pot83]. Our calculus extends the 
hypersequent calculus GA of Metcalfe, Olivetti and Gabbay [MOG05] (see also 
the book [MOG09] and the related [CM03] and [DMS18]) which is a sound and 
complete structural proof system for the equational theory of lattice-ordered 
abelian groups (axioms (1) in Fig.1, see [Vul67] for an overview). The main 
contributions of this work are: 


1. The careful extension of the system GA of [MOG05] with appropriate proof 
rules for the modality (Q) and the proof of soundness and completeness. 

2. The non-trivial adaptation of the proof-technique used in [MOG09, §5.2] to 
prove the cut-elimination theorem for GA. 

3. The formalisation using the theorem prover Agda of our key technical results: 
Theorems 4 and 9. The code is freely available at [Agd]. 


In particular, the last point above guarantees the correctness of the proofs of 
all our novel technical results which, as it is often the case in proof theory, 
involve complex and long induction arguments. Given the availability of for- 
malised proofs, in this work we focus on illustrating the main ideas behind our 
arguments rather than spelling out all technical details. 


Organisation of the Paper. In Sect. 2 we provide the necessary definitions about 
the Riesz modal logic from [MFM17, Mio18] and about the hypersequent calculus 
GA of [MOG05, MOGO09]. In Sect. 3 we present our hypersequent calculus MGA 
and state the main theorems. In Sect.4 we sketch the main ideas behind our 
proof of cut-elimination. Lastly, in Sect. 5 we discuss some directions for future 
work. 


2 Technical Background 


2.1 The Riesz Modal Logic and Its Scalar-free Fragment 


The Riesz modal logic R introduced in [MFM17] is a probabilistic logic for 
expressing properties of discrete or continuous Markov chains. We refer to 
[MFM17] for a detailed introduction. Here we just restrict ourselves to the purely 
syntactical aspects of this logic: its syntax and its axiomatisation. 


Definition 1 (Syntax). The set of formulas of the Riesz modal logic is gener- 
ated by the following grammar: p, y :=«x|0|1|¢+uv|réd|édUvd|énw| od 
where r, called a scalar, ranges over the set R of real numbers. We just write 


—¢ in place of (—1)¢. 


A main result of [MFM17] is that two formulas ¢ and w are semantically 
equivalent if and only if the identity ¢ = w holds in all modal Riesz spaces. 
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Definition 2. A modal Riesz space is an algebraic structure R over the signa- 
ture X = {0,1,+,7,U,7,O}rer such that the following set R of axioms hold: 


1. {R,0,+,r, U, N}rer is a Riesz space (see, e.g., [LZ71]), i.e., 
- (R,0,+,7)rer is an R-vector space, 
- (R,U,N) is a lattice, 
- the lattice order (x <y@uNy=2) is compatible with addition, i.e.: 
(a) x < y impliesa+z<ytz (ie, (aNy)+2= ((aNy)+z)N(y+2z)), 
(b) x > 0 implies rz > 0 (i.e., 0 = 0N r(aU0)) for every r € Rso, 
2.0<1 (i.e, 0=0N1), 
3. the Q operation is linear, positive and 1-decreasing, i.e.: 
- O(@ +y) = O(x) + O(y) and O(ra) = r0(a), 
- if x > 0 then (x) > 0 (i.e., 0 = 0N (x uU 0)), 
- (1) <1 (ie, 6&1 =0171). 


Note that the definition of modal Riesz spaces is purely equational: all axioms 
of Riesz spaces (1) can be expressed equationally and so can the axioms (2) 
and (3). This means, by Birkoff completeness theorem, that two formulas are 
semantically equivalent if and only if the identity ¢ = w can be derived using 
the familiar deductive rules of equational logic, written as R F ¢ = wv. 


Definition 3 (Deductive Rules of Equational Logic). Rules for deriving 
identities from a set A of equational axioms: 


(4 =t2)EA Ak tg =t, Ak ti = te 
i as ee, BUTT pe Aye 
APRS A AF P Apes T Ar Ci] Ci] 
AFti=t AFi=ts y AF A) eel ACT) ps 
Ak ti =ts mn AF f(s,t,u) = g(w,t, z) oe 


where C|] is a context and f,g are function symbols of the fixed signature. 


In what follows we denote with R F ¢ < y the judgment R F ¢= Ny. 
The following elementary facts from the theory of Riesz spaces (see, e.g., [LZ71, 
§2.12]) will be useful. 


Proposition 1. The following assertions hold: 
-RFO=P ifREO-Y=O, 


-REO=V if (RE O<p andRE Y< e). 
-Rer(auy)=raeury, RE r(eny)=ranry. 


The first point says that an equality @ = w can always be expressed 
as an identity with 0. The second point says that we can express equali- 
ties with inequalities and vice versa. The third point, together will the other 
axioms, implies that scalar multiplication distributes over all other operations 
{+,U,7, >}. 

For most practical purposes (when expressing properties of probabilistic mod- 
els) the scalars in the Riesz modal logic can be restricted to be rational numbers. 
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Definition 4 (Rational and Scalar-free formulas). A formula ¢ is rational 
if all its scalars are rational numbers. Similarly, @ is scalar-free if its scalars are 
all equal to (—1). Equivalently, the set of scalar-free formulas is generated by the 
following grammar: A,B:=«|0|1|A+B|—-A|AUB|ANB|O(A). 


Note how we have switched to the letters A and B to range over scalar-free 
formulas to highlight this distinction. 


Proposition 2. Let ọ be a rational formula. Then there exists a scalar-free 
formula A such that RF ¢6=0 if RHF A=0. 


Proof. Let {ri}ier be the list of rational scalars in ¢, with r; = and let d = 
Į [; m: be the product of all denominators. Since scalar multiplication distributes 
with all operations it is easy to show that R F dọ = 4, for a formula p whose 
scalars are all integers. We can then obtain A from w by inductively replacing 
any sub-formula of ~ the form nB with (B + B +--- + B) (n times) if n is 
positive, with —(B + B+.---+ B) if n is negative and with 0 if n = 0. 


For this reason in this work we restrict attention to scalar-free formulas and 
we consider the restricted set of axioms T of Fig. 1. The axioms of Riesz spaces, 
when scalar multiplication is omitted, reduce to the axioms of lattice ordered 
abelian groups (see, e.g., [Vul67]). The axiom 0 < 1 is unaltered and the axioms 
for the 4 modality are naturally adapted. For these reasons we refer to these 
axioms as of those of lattice-ordered modal abelian groups. 


1. Axioms of Lattice—ordered abelian groups: 
— Abelian Group: «+ (y +z) = (a+y)4+2,¢+y=y+2,r+0=2, 
xz—-r=0. 
— Lattice axioms: (associativity) xU (yU z) = (xuy)uz, sn(ynz) = 
(£Ny)Nz, (commutativity) zUy = yUz, zNy = yNz, (absorption) 
zU(zny) =z, zN(zUy) = z, (idempotency) rU g = z, Ng = x. 
— Compatibility: (x Ny) +z = ((£ Ny) +2z)N (y + 2) 
2. Axioms for the unit: 0=011, 
3. Modal axioms: 
- Olz +y) = O(x) + O(y), Olx) = —0(z) and 0(0) = 0, 
~ 0=0NO(x0), 
—- O1=09010N1. 


Fig. 1. Set of axioms T of lattice-ordered modal Abelian groups. 


Remark 1. Note that from the previous discussion it does not follow directly that 
RL A= B implies TF A = B. We indeed conjecture that R is a conservative 
extension of T but we have not proved this fact so far. In any case, this is not 
required for results of this work. 


The main contribution of this work is the design of a sound and complete 
hypersequent calculus for the theory T and the proof of cut-elimination. 
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2.2 The Hypersequent Calculus GA 


Our starting point is the hypersequent calculus GA of [MOG05, MOG09] for the 
theory of lattice-ordered abelian groups (set of axioms (1) in Fig. 1). 


Definition 5 (Formulas, Sequents and hypersequents). A formula A is 
a term built from a set of variables (ranged over by x,y,z) over the signature 
{0,+,—,7,U}. A sequent S is a pair of two (possibly empty) multisets of for- 
mulas l = Ao,..., An and A= Bo,..., Bm, denoted as + A. A hypersequent 
G is a nonempty multiset S1,..., Sn of sequents, denoted as S;|...|Sn- 


Following [MOG05, MOG09], with some abuse of notation, we denote with 
S both the sequent and the hypersequent consisting of only the sequent S. The 
system GA is a deductive system for deriving hypersequents consisting of the 
rules of Fig. 2. The system GA without the CUT rule is denoted by GA*. 

Another convention we adopt from [MOG05,MOG09] is to write d Fea G 
to express the fact that d is a valid GA-derivation of the hypersequent G. We 
write Faa G to express the existence of a GA-derivation d such that dF ga G. 
Similarly, we write d Ega» G and Ega» G when referring to the subsystem GA*. 


Axioms: 
E A-ax ALA ID-ax 
Structural rules: 
G Weakening (W) GIF FAITFA Contraction (C) 

GTF A eakening GTF A ontraction 
G\Iy, I2 F Ai, Ae G| F Ai G\|I2 F As 
—— Split (S Mix (M 
Gnr an A, P O Or hr Aaa “x ™) 


Logical rules: 


Grr Aa GrH A 
GT,0FA ” GirrA,o * 
GIP,A,BEK A GIP + A, A,B 
GIrA+BrA * Grr a,A+B 
GIF A,A GID, AFA 
GT,-AFA ” Girt a,-A * 

GIP,AFA GIP,BEA GIDE A, AIDE A,B 
GIP, AUBFA : Cre Aane ~ 

GIP,AFAIP,BEA GIPFA,A GIPE A,B 
GT,AnBFA ~ GIT- A, ANB re 


CUT rule: 
G| A,A G|DR,AF Ap 
G | Ti, I2 F Ai, As 


Cut 


Fig. 2. Inference rules of the hypersequent system GA of [MOG05]. 
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Multisets of formulas, sequents and hypersequents are interpreted as a single 
formula as follows: 


Definition 6 (Interpretation). A multiset of formulas T = ¢4,...,¢n is 
interpreted as the formula [I] = ¢1+ ¢1+-::+¢n ifn > 1 and as [I] = 0 if 
[=9. A sequent S = I+ A is interpreted as the formula |S] = [A] — [T]. 
Finally, a hypersequent G = So | --- | Sn is interpreted as the formula 
IG] = [So] U -U [Sn]. 


Example 1. Consider the hypersequent G = (0 La,yk y) | (- yF ) consisting 
of two sequents. Then [G] = (y — ((0 U £) + y)) u (0 — (—y)). 


The soundness and completeness of the hypersequent system GA with respect 
to the theory of lattice-ordered abelian groups (axioms (1) of Fig. 1, written as 
Ta)) is expressed by the following theorem. 


Theorem 2 ({MOG05]). For all formulas A and hypersequents G: 


Soundness: if Ega G then Ta) F [G] > 0. 
Completeness: if Ta) F A > 0 then Ega (F A) 


Proof. The proofs presented in [MOG05] exploit the following well-known fact 
(see, e.g., [Vul67]): the equality A = B holds in all lattice-ordered abelian groups 
if and only if it holds in (R, 0, +,—, max, min) under any interpretation of the 
variables as real numbers. In other words, R generates the variety of lattice- 
ordered abelian groups. 


The main result of [MOG05] regarding GA is that the CUT rule is eliminable. 


Theorem 3 (Cut-elimination [MOG05]). Any GA-derivation of a hyperse- 
quent G can be effectively transformed into a GA*-derivation of G. 


3 The Hypersequent System MGA 


In this section we introduce our hypersequent calculus system MGA, a modal 
extension of the GA system of [MOG05]. The system MGA deals with formu- 
las over the signature of modal lattice-ordered abelian groups (see Fig. 1) thus 
including the constant 1 and the unary modality Q. 


Definition 7 (Formulas of MGA). A formula A is a term built from a set 
of variables (ranged over by x,y,z) over the signature {0,1,+,—,N,U, Q}. 


The definitions of sequents and hypersequents are given exactly as for the 
system GA in Definition 5 of Sect. 2.2. Similarly, multisets of formulas, sequents 
and hypersequents are interpreted as formulas exactly as already specified in 
Definition 6 of Sect. 2.2 for the system GA. Before presenting the deduction rules 
of MGA, it is useful to introduce the following abbreviations. 
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— For n € Nso, we denote with nF the multiset of formulas F, F,..., F. 
So for example we write 2A, 1B F 0C, D to denote the sequent A, A, BE D. 


— Given a multiset of formulas I’ = Fo,...,F, and n € N>o we denote with nT’ 
the multiset of formulas nFp,...,nFy. If I = Ø then also nr = 9. 
— Given a multiset of formulas I = Fo,..., F» we denote with OI the multiset 


of formulas QFp,...,0F,. Consistently, if l = Ø then also OT = 9. 


The rules of the system MGA consist of all rules of GA (see Fig. 2) together 
with the additional rules of Fig. 3. 


Axiom for 1: Rule for 0: 
= FrA,n1 oe 
ee Ore oA ni Ve 


Fig. 3. Additional inference rules of the hypersequent system MGA 


The axiom (1-ax) for the constant 1 is straightforward and it simply expresses 
the axiom 0 < 1 from Fig. 1 (i.e., T+ [F 1] > 0). 

The rule (0-rule) for the modality is more subtle as it imposes strong con- 
straints on the shape of its premise and conclusion. First, both the conclusion and 
the premise are required to be hypersequents consisting of exactly one sequent. 
Furthermore, in the conclusion, all formulas, except those of the form 1 on the 
right side, need to be of the form OC for some C. 

The following is an illustrative example of derivation in the system MGA: 


Th] Px IFA 
A,1F1,A 
A,1,-(A)F 1 
ree Co ee 
A,AF1|A,1—-AF1 
A,AN(1—A)F 1 
A,AN(1— A)F1/1—A,AN(1— A)F 1 
AN(1—A),AN(1—A)F 1 
O((AN (1 -AD O((AN (1 — A))) 
(An (1— A))) + O((AN(1— A))) F 1 


L 


W 
L 


W 


4 >-rule 
L 


Our first theorem regarding MGA states its soundness and completeness with 
respect to the theory of modal lattice-ordered abelian groups (see Fig. 1). The 
proof of [MOG05] of Theorem 2 cannot be directly adapted here because, unlike 
the case for lattice-ordered abelian groups and R, we are not aware of any simple 
modal lattice-order abelian group which generates the whole variety. 


Theorem 4. For all formulas A and hypersequents G: 
Soundness: if Fmaa G then T F |G] > 0. 


Completeness: if Th A > 0 then Fyaa (F A). 
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Proof. Soundness is proven by translating every MGA derivation d of G to a 
derivation in equational logic m of [G] > 0. This is done by induction on the 
complexity of d. The difficult cases correspond to when d ends by applications of 
either the S-rule, the M-rule or the Liz rule. The formalised proof is implemented 
in the agda file Syntax/Agda/MGA-Cut/Soundness.agda in [Agd] and the type 
of the function is: soundness : (G : HSeq) —> (MGA G) > botAG <S[G]. 

Conversely, completeness is proven by translating every equational logic 
derivation 7 of A = B to the MGA derivations dı and dz of the (hyper)sequents 
At Band Bt A respectively. The proof goes by induction on r. First, MGA 
derivations are obtained for all axioms of Fig. 1. For example, for the axiom 
O(a+y) = O(@) + O(y) we can derive the (hyper)sequent (x +y) F O(2) + O(y) 
as showed below (left-side). Translating applications of the rules refl and sym is 
simple. Translating applications of the trans rules is immediate using the CUT 
rule of MGA. To translate applications of the ctzt rule, it is sufficient to prove 
(by induction) a simple context-lemma that states that if A F B is MGA deriv- 
able then also C[A] F C[B] is MGA derivable. Similarly, to translate applications 
of the subst rule, it is sufficient to prove (by induction) a simple substitution- 
lemma stating that if G is MGA derivable then G[A/z] is also derivable, where 
G[A/za] is the hypersequent where every occurrence of x is replaced by A. 

Note that T - A > 0 means that T F- 0 = 0 N A. By the translation method 
outlined above, the (hyper)sequent 0 | 07 A is MGA derivable. We can then 
get a MGA derivation of + A as follows (right-side): 


—— ID-ax —— ID-ax 
gee yry 
Ly x,y Fi M AFA ID-ax E Aas 
atyh ay OFA[AFA™ otona Fo OF 
Olz +y) F Ola) O) omnaFA t Fona C" 
O@ FHF O@) +O) FA 


The file Syntax/Agda/MGA-Cut/Completeness.agda in [Agd] contains the 
formalised proof and the type of the function is: completeness : (A : Term) > 
botAG <S A — MGA (head ([ ],[ ] :: A)). 


Remark 2. The following natural looking variant of the (0-rule), allowing hyper- 
sequents with more than one component, is unsound: 


G|TFA,n1 
G| Ort OA,n1 


Our main theorem regarding the system MGA is the cut-elimination theorem. 
We denote with MGA* the system without the CUT rule. 


Theorem 5 (Cut-elimination). Any MGA-derivation of a hypersequent G 
can be effectively transformed into a MGA* -derivation of G. 


Theorems 4 and 5 imply the statement of Theorem 1 in the Introduction. 
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4 Overview of the Proof of the Cut-Elimination Theorem 


In this section we illustrate the structure of our proof of the cut-elimination 
theorem. We first explain the main ideas behind the proof of cut-elimination for 
GA of [MOG09, §5.2]. We then explain why these idea are not directly applicable 
to the system MGA. Lastly, we discuss our key technical contribution which 
makes it possible to adapt the proof method of [MOG09, §5.2] to prove the 
cut-elimination theorem for the MGA system. 


4.1 The CAN-Elimination Theorem for the System GA 


A key idea of [MOG09, §5.2] is to replace the CUT rule with an easier to handle 
rule called cancellation (CAN) rule. The CAN rule can derive the CUT rule in 
the basic cut-free system GA” as follows (right-side): 


dı dy 
GIT, AFA, G|IzF A, 42 
G|T, AF A,A qe A 
———————— CAN G|, Lo, È Shy 2. CAN 
GITEA A G|N, Py F 41, Ae 


The cut-elimination theorem is obtained in [MOG09, §5.2] by proving a CAN- 
elimination theorem expressed as: if Faa» G|[, AF A, A then Faar GII F A. 
The CAN-elimination theorem for the system GA is proved in three steps: 


Step A: proving the invertibility of all the logical rules ((MOG09, Lemma 5.18]). 
The invertibility states that if the conclusion of a logical rule (for instance, 
G|I, A+ Bt A for the +, rule) is derivable without the CAN-rule, then all the 
premises (in this case G|I’, A, B+ A) are derivable too without the CAN-rule. 


Step B: proving the atomic CAN-elimination theorem ([MOG09, Lemma 5.17]). 
This theorem deals with the special case of A being a variable and states that if 
d Ega» GII, x F a, A then Faa» GII F A. This theorem is proven by induction 
on d and is mostly straightforward: the only difficult case is when d finishes 
with an application of the M-rule. A separate technical result ([MOG09, Lemma 
5.16]) is used to take care of this difficult case. 


Step C: proving the CAN-elimination theorem ([MOG09, Theorem 5.19]). The 
CAN-elimination theorem states that if Faq» G|I, A F A, A then Ega» G|I F 
A. This proof is by induction on A: 


— If Aisa variable, we can conclude with the atomic CAN-elimination theorem. 

— Otherwise we use the invertibility of the logical rules and we can conclude with 
the induction hypothesis. For instance, if A = B+ C, then by invertibility of 
the +z and +p rules we have a GA*-derivation of Fea» G|I, B,C + A, B,C 
and, from it, we can obtain a GA*-derivation of G|I H A by using twice the 
induction hypothesis, first on B then on C. 
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4.2 Issues in Adapting the Proof for the System MGA 


The proofs of [MOGO09] can be adapted to the context of MGA without much 
difficulty to perform the first two steps: 


Theorem 6 (Invertibility of the logical rules). All logical rules (including 
the Q-rule) are invertible in the system MGA*. 


Proof. The same proof technique used in [MOG09] works. The main idea is, in 
order to deal easily with the (S) and the (C) rules, to prove a slightly stronger 
statement about the invertibility of more general rules. For instance, the gener- 
alisation of the rule +z is: 


[D;, nA, nB H Ait, 
[Di n(A + B) F Aili 


Theorem 7 (Atomic CAN-elimination theorem). If Fmaa» T, F z, A 
then Fmaa* TE A. 


The complication comes from the third and last Step C. We want to prove 
that if Fmea» GII, A F A,A then Fuca* G|I F A. An ordinary proof by 
induction on A could get stuck when A = OB. For instance, if the hypersequent 
is x, OB OB,z, the invertibility of the -rule can not be used because of the 
syntactic constraints the -rule imposes on its conclusion. Indeed the invertibility 
of the -rule states that if Fuaa« OF F OA then Fyca« T F A, but 7,OA F 
OA, x is not of this form because it contains the variable x. 

For this reason, we deal with the case A = OB in a different way, using 
an induction argument on the derivation of G|[, A F A, A. In this argument, 
however, the M-rule is hard to deal with (as already remarked it is a main source 
of complications also on the proof of atomic CAN-elimination of [MOGO09, §5.2]). 

Our main technical result is that the M-rule can be eliminated from a simple 
variant of the system MGA called MGA-SR (which stands MGA with scalar 
rules). The system MGA-SR, is obtained by modifying MGA as follows: 


— The logical left-rules and right-rules for the connectives {0,—,+,U,™} are 
generalised to deal with scalar coefficients (syntactic sugaring introduced in 
Sect. 3). For instance, the rules +z and Uz become: 


G|T,nA,nBF A 
G|I,n(A+B)F A 


G|[,nAFA G\lP,nBrFa 
G|P,n(AUB)FA 


CL 


L 


— The axioms ID-ax and 1-ax are replaced by the rules 


GIH A GJITHA 
GU, na na, a Pe Grr Ani E 


— All structural rules (C, W, S, M), the -rule and the CAN rule remain exactly 
as in MGA (see Fig. 2). 
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It is possible to verify that MGR and MGR-;SR are equivalent, i.e., they can 
derive exactly the same hypersequents (Theorem 8 below). The first modification 
(scalar rules) is technically motivated because it simplifies several proofs: in fact 
scalar rules are also implicitly considered in several of the proofs of [MOG09] 
for the system GA. The second modification (ID-rule and 1-rule) is essential. 
Indeed in the system MGA (and also in GA) the (hyper)sequent x,y F x,y 
is not derivable without applying the M-rule. Hence M-elimination in MGA is 
impossible. On the other hand the (hyper)sequent x,y x,y is easily derivable 
in MGA-SR without requiring applications of the M rule 


z A-ax 
—— ID-rule 
yF y 
——.——_ ID-rule 
T,y F æ, y 


and, as we will prove (Theorem 12), it is indeed possible to eliminate all appli- 
cations of the M-rule from MGA-SR. 

As outlined above, the presence of the M-rule was the main source of com- 
plications in adapting Step C. Once the equivalence between MGA-SR and 
MGA-SR without the M-rule is established, most complications disappear and 
the CAN-elimination proof can be obtained by performing Steps A-B-C for the 
system MGA-SR. 


4.3 The System MGA-SR and the M-Elimination Theorem 


In this subsection we introduce the system MGA-SR (MGA with scalar rules) 
for which we will prove the M-elimination theorem. 


Definition 8 (MGA-SR). The inference rules of MGA-SR are the rules of 
MGA modified as discussed previously. We denote by MGA-SR*, MGA-SR* and 
MGA-SR** the systems without the CUT rule, the M-rule and both the CUT and 
M-rules, respectively. 


Theorem 8. The two systems MGA and MGA-SR are equivalent: Fuca G if 
and only if FmGA-sR G. 
The two systems MGA* and MGA-SR* are equivalent: © maa» G if and only 


if Fuqa—spr* G. 


Proof. Translating MGA proofs to MGA-SR proofs is straightforward. All rules 
of MGA are specific instances of the scalar rules of MGA-SR (taking the scalar 
n = 1) and the the axioms 1-Axiom and ID-axioms are easily derivable in MGA- 
SR (without the need of the CAN rule) by using the id-rule and 1-rule (again, 
using the scalar n = 1). Translating MGA-SR to MGA is also mostly straight- 
forward. Some care is needed to translate instances of the scalar-rules Uz and 
Or from MGA-SR to MGA. This can be done by induction on the scalar n using 
the fact that the two premises G|, nA, Bt A and G|[,nB, At A are derivable 
from G|I,(n+1)AF A and G|T, (n+1)BE A. We remark that this derivation 
may require the usage of the M rule. 
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We now state our main technical contribution: the M-elimination theorem 
for the system MGA-SR. 


Theorem 9 (M-elimination). If dı Fmga-sri Gi | T F A and dz F yGA-SRt 
Go | XF then = MGA-SRt Gy | Go | I, SEA, I. 

If dy = MGA-SRt* Gi | IEA and d2 F MGA-SRt* G2 | X + IT then F MGA-SRti* 
Gi | G2 | T,X F A, HN. 


We now give a sketch of our proof argument. A formalised proof in Agda 
is available in [Agd] and is contained in the files Syntax/MGA-SR/M-Elim.agda 
and Syntax/MGA-SR-CAN/M-Elim-CAN.agda. 

The general idea is to combine the derivations dı and də in a sequential way. 
We first consider the case when no applications of the -rule appear in dı nor 
dg. First the proof dı is transformed into a pre-proof (i.e., where the derivation 
is left incomplete at some leaves) d} of Gy | Gz | T, X F A, M. The pre-proof di 
is structurally identically to dı and it essentially just ignores the G2, X and H 
components of the hypersequent. While the leaves of dı are all of the form (+) 
because A-ax is the only axiom of MGA-SR, the leaves of the pre-proof di are 
of the form Gə | nX F ni (the ignored part carried out until the end, which can 
get multiplied by applications of the C and S' rules). We can now proceed with 
the second step and provide derivations for these leaves using (easily modified 
versions of) the proof də. 

When occurrences of the -rule appear in dı or dz the argument requires 
more care. Indeed an application of the -rule on d; acting on some hypersequent 
(necessarily) of the form: 

OL, OA, kl 


cannot turned into an application of -rule on: 
Go | X, OT; F 941, kı, H 


because this hypersequent violates the structural constraints of the Q-rule. For 
this reason, we stop the construction of d} at these points and, as a results, the 
leaves of the pre-proof d} are generally of the form: Gz | nX, OM F 941, kl, nH, 
for some I, A, and scalars n, k. 

The idea now is, following the same kind of procedure, to modify the proof 
dz and turn it to a pre-proof dh of Gz | nX, QT F 941, k1, nI. Crucially, the 
previous issue disappears. Indeed proof steps in dz acting on hypersequents of 
the form: 

OL) F Ih, ml 


using the Q-rule, can be turned into valid -rule steps for the extended hyper- 
sequent: 
021,011 H 0A), k1, Ii, ml 


because the shape of the sequent is compatible with the constraint of the © 
rule. Note that the hypersequent resulting from the application of the -rule 
is 34,2), F Ii, kıl, M, mı1 and has a lower modal-depth than the starting 
one. Hence an inductive argument on modal-complexity can be arranged to 
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recursively reduce the general M-elimination procedure to the simpler case where 
dı and dz do not have occurrences of the ¢-rule (Fig. 4). 


De Anka = Sı H I,m 1 
OM F 041, kil O21 F Olh,mil 
dı d2 
G |r G2 | XH IL 


| | 


Xi, ni b nhi, nikil, M, m1 


Go | mE, QD F 941, kıl, nı H Si 021, ni OT; F nr Oi, nikil, 9M, m1 
di dh 
Gi | G2 |T, £ F A, H Go | mX, QT F 941, k1, nı H 


Fig. 4. Sequentially composing dı and d2 in the M-elimination proof. 


The following is a direct consequence Theorems 8 and 9. 


Corollary 1. The two systems MGA and MGA-SR' are equivalent: F mca G if 


and only if EmGa-srt G- 
The two systems MGA* and MGA-SR™ are equivalent: = maa G if and only 


if Emaa-sri* G. 


4.4 Cut-Elimination Theorem for the System MGA 


We have already remarked that the cut-elimination theorem for the system MGA 
follows from the CAN-elimination theorem. By Corollary 1, the CAN-elimination 
theorem for the system MGA-SRt implies the CAN-elimination for MGA. Since 
there is no M-rule in MGA-SR’, the proof of CAN-elimination can follow the 
three Steps A-B-C outlined in Subsect. 4.1. As for Step A, we need to prove the 
invertibility of the logical rules in the system MGA-SR*™. 


Theorem 10 (Invertibility of the logical rules). The logical rules of the 
system MGA-SR'*, {0L, 0R, +L, +R, UL, Ur, 0L, Ur}, are invertible. 


Remark 3. We note that, just as in [MOG09, §5.2], it is in fact possible and 
indeed technically useful to prove the invertibility of generalised scalar rules 
dealing with scalar rules, as in the proof of Theorem ô. 


As for Step B we prove the atomic CAN-elimination theorem. Following the 
previous remark, we prove the following stronger version of the statement. 
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Theorem 11 (Atomic CAN-elimination). If Fmga-sr Wi, kia t kiz, 
Ai)j-1 then Emaa-sr Wit Aidit. 


Since we removed the M-rule, there are no significant difficulties in the induc- 
tion arguments, and the proof is quite straightforward. 

We also need a technical lemma regarding the constant formula 1 which is 
provable by a simple induction on the length of derivations. 


Lemma 1. If = MGA-SRt* (Ii, nil H nil, Ail then F MGA-SRt* (I; F Ail: 


We can now prove the CAN-elimination theorem for MGA-SR". This, 
together with Corollary 1 implies the cut-elimination (Theorem 5) for MGA. 


Theorem 12 (CAN-elimination). If d Fmga-sr G | T,A F A,A then 
Fuca-sra G| TF A. 


Proof. Again, it is convenient to prove the stronger statement: If d EFMGA-SRt* 
T;, kiA F, kiA, Ai]; then Fyaa-sri [Zi + Ai]f_,. This is done by induction 
on the (lexicographical) complexity of the pair (A, d): 


— If A is a variable, we can conclude with Theorem 11. 
— If A = 1, we can conclude with Lemma 1. 
— If A= OB, we look at d. 

e If d finished with the Q-rule, then the end hypersequent is necessarily 
of the form: Ii, k; A R kiA, Ail = Oli, niOB H niOB, 0A), k1, and 
is derived from the hypersequent Fmca-srt* T1, n1 B F nıB, 41, k1. By 
induction hypotheses (B has smaller complexity than A), we have that 

Fuca-srix £1 F 41,k1. Hence we can derive Fmcaa-srt O11 F 941, k1 
by application of the -rule. 

e Otherwise, the hypersequent is derived by application of some other rule 
(not active on A = QB) from some premises. In this case, we simply apply 
the inductive hypothesis on the premises (the formula A is unchanged but 
the complexity of the premise derivation has decreased) and use the same 
rule to construct a derivation of the desired hypersequent. 

— Otherwise, using the same argument of [MOG09, §5.2] discussed in Sect. 4.1, 
we make progress in the inductive proof (reducing the complexity of A) by 
using the invertibility of the logical rules (Theorem 10). 


5 Conclusions and Future Work 


We have presented a structural proof system called MGA for the scalar-free frag- 
ment of the Riesz modal logic. A natural direction of research is to extend the 
system MGA to deal with the full Riesz modal logic, thus handling arbitrary 
scalars r € R. The (integer-)scalar rules of the system MGA-SR could be natu- 
rally generalised to handle real-scalars but it is not clear, at the present moment, 
if the resulting system would satisfy a reasonable formulation of the sub-formula 
property. Another interesting topic of research is to consider extensions of MGA 
for fixed-point extensions of the Riesz modal logic (e.g., [MS17, Mio18]). In this 
direction, the machinery of cyclic proofs (see, e.g., [Stu07, MS13b,BS11, Dou17]) 
appears to be particularly promising. 
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Abstract. The paper addresses two variants of the stochastic shortest 
path problem (“optimize the accumulated weight until reaching a goal 
state”) in Markov decision processes (MDPs) with integer weights. The 
first variant optimizes partial expected accumulated weights, where paths 
not leading to a goal state are assigned weight 0, while the second variant 
considers conditional expected accumulated weights, where the probabil- 
ity mass is redistributed to paths reaching the goal. Both variants consti- 
tute useful approaches to the analysis of systems without guarantees on 
the occurrence of an event of interest (reaching a goal state), but have 
only been studied in structures with non-negative weights. Our main 
results are as follows. There are polynomial-time algorithms to check the 
finiteness of the supremum of the partial or conditional expectations in 
MDPs with arbitrary integer weights. If finite, then optimal weight-based 
deterministic schedulers exist. In contrast to the setting of non-negative 
weights, optimal schedulers can need infinite memory and their value can 
be irrational. However, the optimal value can be approximated up to an 
absolute error of € in time exponential in the size of the MDP and poly- 
nomial in log(1/e). 


1 Introduction 


Stochastic shortest path (SSP) problems generalize the shortest path problem 
on graphs with weighted edges. The SSP problem is formalized using finite state 
Markov decision processes (MDPs), which are a prominent model combining 
probabilistic and nondeterministic choices. In each state of an MDP, one is 
allowed to choose nondeterministically from a set of actions, each of them is 
augmented with probability distributions over the successor states and a weight 
(cost or reward). The SSP problem asks for a policy to choose actions (here called 
a scheduler) maximizing or minimizing the expected accumulated weight until 
reaching a goal state. In the classical setting, one seeks an optimal proper sched- 
uler where proper means that a goal state is reached almost surely. Polynomial- 
time solutions exist exploiting the fact that optimal memoryless deterministic 
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schedulers exist (provided the optimal value is finite) and can be computed using 
linear programming techniques, possibly in combination with model transforma- 
tions (see [1,5,10]). The restriction to proper schedulers, however, is often too 
restrictive. First, there are models that have no proper scheduler. Second, even if 
proper schedulers exist, the expectation of the accumulated weight of schedulers 
missing the goal with a positive probability should be taken into account as well. 
Important such applications include the semantics of probabilistic programs (see 
e.g. [4,7,12,14,16]) where no guarantee for almost sure termination can be given 
and the analysis of program properties at termination time gives rise to stochas- 
tic shortest (longest) path problems in which the goal (halting configuration) is 
not reached almost surely. Other examples are the fault-tolerance analysis (e.g., 
expected costs of repair mechanisms) in selected error scenarios that can appear 
with some positive, but small probability or the trade-off analysis with conjunc- 
tions of utility and cost constraints that are achievable with positive probability, 
but not almost surely (see e.g. [2]). 

This motivates the switch to variants of classical SSP problems where the 
restriction to proper schedulers is relaxed. One option (e.g., considered in [8]) 
is to seek a scheduler optimizing the expectation of the random variable that 
assigns weight 0 to all paths not reaching the goal and the accumulated weight 
of the shortest prefix reaching the goal to all other paths. We refer to this expec- 
tation as partial expectation. Second, we consider the conditional expectation of 
the accumulated weight until reaching the goal under the condition that the goal 
is reached. In general, partial expectations describe situations in which some 
reward (positive and negative) is accumulated but only retrieved if a certain 
goal is met. In particular, partial expectations can be an appropriate replace- 
ment for the classical expected weight before reaching the goal if we want to 
include schedulers which miss the goal with some (possibly very small) probabil- 
ity. In contrast to conditional expectations, the resulting scheduler still has an 
incentive to reach the goal with a high probability, while schedulers maximiz- 
ing the conditional expectation might reach the goal with a very small positive 
probability. 

Previous work on partial or conditional expected accumulated weights was 
restricted to the case of non-negative weights. More precisely, partial expec- 
tations have been studied in the setting of stochastic multiplayer games with 
non-negative weights [8]. Conditional expectations in MDPs with non-negative 
weights have been addressed in [3]. In both cases, optimal values are achieved 
by weight-based deterministic schedulers that depend on the current state and 
the weight that has been accumulated so far, while memoryless schedulers are 
not sufficient. Both [8] and [3] prove the existence of a saturation point for the 
accumulated weight from which on optimal schedulers behave memoryless and 
maximize the probability to reach a goal state. This yields exponential-time algo- 
rithms for computing optimal schedulers using an iterative linear programming 
approach. Moreover, [3] proves that the threshold problem for conditional expec- 
tations (“does there exist a scheduler G such that the conditional expectation 
under G exceeds a given threshold?” ) is PSPACE-hard even for acyclic MDPs. 
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The purpose of the paper is to study partial and conditional expected accu- 
mulated weights for MDPs with integer weights. The switch from non-negative 
to integer weights indeed causes several additional difficulties. We start with 
the following observation. While optimal partial or conditional expectations in 
non-negative MDPs are rational, they can be irrational in the general setting: 


MDP M 


Fig. 1. Enabled actions are denoted by Greek letters and the weight associated to 
the action is stated after the bar. Probabilistic choices are marked by a bold arc and 
transition probabilities are denoted next to the arrows. 


Example 1. Consider the MDP M depicted on the left in Fig. 1. In the initial 
state Sinit, two actions are enabled. Action 7 leads to goal with probability 1 and 
weight 0. Action o leads to the states s and t with probability 1/2 from where we 
will return to Sini with weight —2 or +1, respectively. The scheduler choosing T 
immediately leads to an expected weight of 0 and is optimal among schedulers 
reaching the goal almost surely. As long as we choose o in Sinit, the accumulated 
weight follows an asymmetric random walk increasing by 1 or decreasing by 2 
with probability 1/2 before we return to Sinit. It is well known that the prob- 
ability to ever reach accumulated weight +1 in this random walk is 1/® where 
P= ave is the golden ratio. Likewise, ever reaching accumulated weight n has 
probability 1/9” for all n € N. Consider the scheduler G% choosing T as soon 
as the accumulated weight reaches k in Sinit. Its partial expectation is k/®* as 
the paths which never reach weight k are assigned weight 0. The maximum is 
reached at k = 2. In Sect. 4, we prove that there are optimal schedulers whose 
decisions only depend on the current state and the weight accumulated so far. 
With this result we can conclude that the maximal partial expectation is indeed 
2/7, an irrational number. 

The conditional expectation of Gx in M is k as Gx reaches the goal with 
accumulated weight k if it reaches the goal. So, the conditional expectation is 
not bounded. If we add a new initial state making sure that the goal is reached 
with positive probability as in the MDP M, we can obtain an irrational maximal 


conditional expectation as well: The scheduler {; choosing 7 in c as soon as 
k/2b* i F 
I2 FI/I5F ` The maximum is 


. _ 9, ġ ej se è és 3 /¢° = 3 
obtained for k = 3; the maximal conditional expectation is IIS = 378" 
Moreover, while the proposed algorithms of [3,8] crucially rely on the mono- 


tonicity of the accumulated weights along the prefixes of paths, the accumulated 


the weight reaches k has conditional expectation 
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weights of prefixes of path can oscillate when there are positive and negative 
weights. As we will see later, this implies that the existence of saturation points 
is no longer ensured and optimal schedulers might require infinite memory (more 
precisely, a counter for the accumulated weight). These observations provide evi- 
dence why linear-programming techniques as used in the case of non-negative 
MDPs [3,8] cannot be expected to be applicable for the general setting. 


Contributions. We study the problem of maximizing the partial and condi- 
tional expected accumulated weight in MDPs with integer weights. Our first 
result is that the finiteness of the supremum of partial and conditional expecta- 
tions in MDPs with integer weights can be checked in polynomial time (Sect. 3). 
For both variants we show that there are optimal weight-based deterministic 
schedulers if the supremum is finite (Sect.4). Although the suprema might be 
irrational and optimal schedulers might need infinite memory, the suprema can 
be e-approximated in time exponential in the size of the MDP and polynomial in 
log(1/e) (Sect.5). By duality of maximal and minimal expectations, analogous 
results hold for the problem of minimizing the partial or conditional expected 
accumulated weight. (Note that we can multiply all weights by —1 and then 
apply the results for maximal partial resp. conditional expectations.) 


Related Work. Closest to our contribution is the above mentioned work on 
partial expected accumulated weights in stochastic multiplayer games with non- 
negative weights in [8] and on computation schemes for maximal conditional 
expected accumulated weights in non-negative MDPs [3]. Conditional expected 
termination time in probabilistic push-down automata has been studied in [11], 
which can be seen as analogous considerations for a class of infinite-state Markov 
chains with non-negative weights. The recent work on notions of conditional 
value at risk in MDPs [15] also studies conditional expectations, but the con- 
sidered random variables are limit averages and a notion of (non-accumulated) 
weight-bounded reachability. 


2 Preliminaries 


We give basic definitions and present our notation. More details can be found in 
textbooks, e.g. [18]. 


Notations for Markov Decision Processes. A Markov decision process 
(MDP) is a tuple M = (S, Act, P, Sma, Wgt) where S is a finite set of states, 
Act a finite set of actions, Smi € S the initial state, P : S x Act x S — [0,1] NQ 
is the transition probability function and wgt : S x Act — Z the weight function. 
We require that } peg P(s,a,t) € {0,1} for all (s,a) € S x Act. We write Act(s) 
for the set of actions that are enabled in s, i.e., a € Act(s) iff X pes P(s,a,t) = 1. 
We assume that Act(s) is non-empty for all s and that all states are reachable 
from Sinit- We call a state absorbing if the only enabled action leads to the 
state itself with probability 1 and weight 0. The paths of M are finite or infi- 
nite sequences So Qo S1 Q1 S2 @2... where states and actions alternate such that 
P(si, @&i, Si+1) > 0 for all i > 0. If m = so Qao sı a1 ...ax%_-1 Sk is finite, then 
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wgt(T) = wgt(so,ao) +... + wgt(s~—1, &k—1) denotes the accumulated weight of 
n, P(n) = P(s0,Q0, 81) +... P(Sp-1, @k-1, Sk) its probability, and last(7) = Sk 
its last state. The size of M, denoted size(M), is the sum of the number of states 
plus the total sum of the logarithmic lengths of the non-zero probability values 
P(s,a,s’) as fractions of co-prime integers and the weight values wgt(s, a). 


Scheduler. A (history-dependent, randomized) scheduler for M is a function © 
that assigns to each finite path m a probability distribution over Act(last(z)). 
G is called memoryless if G(r) = G(x’) for all finite paths 7, n’ with last() = 
last(z’), in which case G can be viewed as a function that assigns to each state 
s a distribution over Act(s). G is called deterministic if G(r) is a Dirac dis- 
tribution for each path 7, in which case G can be viewed as a function that 
assigns an action to each finite path m. Scheduler G is said to be weight- 
based if G(r) = G(x’) for all finite paths r, n’ with wgt(7) = wgt(n') and 
last(7) = last(x’). Thus, deterministic weight-based schedulers can be viewed 
as functions that assign actions to state-weight-pairs. By HR™ we denote the 
class of all schedulers, by WR™ the class of weight-based schedulers, by WD™ 
the class of weight-based, deterministic schedulers, and by MD™ the class of 
memoryless deterministic schedulers. Given a scheduler ©, ¢ = so Qo $1 G1... is 
a -path iff ç is a path and (so ao $1 Q1... a&k—1 Sk) (Az) > O for all k > 0. 


Probability Measure. We write Prive or briefly Prõ to denote the prob- 
ability measure induced by G and s. For details, see [18]. We will use LTL- 
like formulas to denote measurable sets of paths and also write )(wgt ™ x) to 
describe the set of infinite paths having a prefix 7 with wgt(7) = x for x € Z 
and m € {<,<,=,>,>}. Given a measurable set y of infinite paths, we define 
Prii? (Y) = infe Pr&a (W) and Prt s(Y) = supe Pr% (Y) where G ranges over 
all schedulers for M. T hroughout the paper, we suppose that the given MDP 
has a designated state goal. Then, p™** and p™™ denote the maximal resp. min- 
imal probability of reaching goal from s. That is, pp°™* = supe Pr& (goal) and 
pmin = infe Pr&(Qgoal). Let Act™*(s) = {a € Act(s)| Mees P(s, 0, t) : pp™ = 
pe}, and Act™™™(s) = {a € Act(s)| Xes P(5,a, t): pp™ = pr}. 


Mean Payoff. A well-known measure for the long-run behavior of a scheduler G 
in an MDP M is the mean payoff. Intuitively, the mean payoff is the amount of 
weight accumulated per step on average in the long run. Formally, we define the 
mean payoff as the following random variable on infinite paths Ç = sgags1Q,...: 


MP(¢) := lim inf Diso wgtlsi a), The mean payoff of the scheduler G starting 


in Sinit is then defined as the expected value 1S (MP). The maximal mean 


payoff is the supremum over all schedulers which is equal to the maximum over 
all M D-schedulers: EX?*(MP) = maxsemp EÑ (MP). In strongly connected 


MDPs, the maximal mean payoff does not depend on the initial state. 


End Components, MEC-Quotient. An end component of M is a strongly 
connected sub-MDP. End components can be formalized as pairs E = (E, 2) 
where E is a nonempty subset of S and 2 a function that assigns to each state 
s € E a nonempty subset of Act(s) such that the graph induced by € is strongly 
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connected. E is called maximal if there is no end component E’ = (£", 2’) with 
EAE, E C E’ and A(s) C Y (s) for all s € E. The MEC-quotient of an MDP M 
is the MDP MEC(M) arising from M by collapsing all states that belong to the 
same maximal end component € to a state se. All actions enabled in some state 
in E not belonging to E are enabled in se. Details and the formal construction 
can be found in [9]. We call an end component € positively weight-divergent if 
there is a scheduler G for £ such that Pr? ,(O(wgt > n)) = 1 for all s € € and 
n € N. In [1], it is shown that the existence of positively weight-divergent end 
components can be decided in polynomial time. 


3 Partial and Conditional Expectations in MDPs 


We define partial and conditional expectations in MDPs. We extend the definition 
of [8] by introducing partial expectations with bias which are closely related to 
conditional expectations. Afterwards, we sketch the computation of maximal 
partial expectations in MDPs with non-negative weights and in Markov chains. 


Partial and Conditional Expectation. In the sequel, let M be an MDP with 
a designated absorbing goal state goal. Furthermore, we collapse all states from 
which goal is not reachable to one absorbing state fail. Let b € R. We define the 
random variable ©? goal on infinite paths ¢ by 


wot(C) +b if CF Qgoal, 


b oa => 
© 'goal(¢) t if € H Ogoal. 


We call the expectation of this random variable under a scheduler 6 the partial 


expectation with bias b of G and write PER A sins [b] := EÑ4 sn, (@° goal) as well 
as PEM s, lb] += SUPeeHR™ PES sin [b]. If b = 0, we sometimes drop the 


argument b; if M is clear from the context, we drop the subscript. In order to 
maximize the partial expectation, intuitively one has to find the right balance 
between reaching goal with high probability and accumulating a high positive 
amount of weight before reaching goal. The bias can be used to shift this balance 
by additionally rewarding or penalizing a high probability to reach goal. 

The conditional expectation of © is defined as the expectation of ° goal under 
the condition that goal is reached. It is defined if PET hci (goal) > 0. We write 
CE Ra sna = ER s, (P°goal|Ogoal) and CEYP, = supe CE Sas, where the 
supremum is taken over all schedulers G with Pria sing (Qgoal) > 0. We can 


express the conditional expectation as CER, sma = PEGA spa [POR sna (goal). 
The following proposition establishes a close connection between conditional 
expectations and partial expectations with bias. 


Proposition 2. Let M be an MDP, © a scheduler with Pr (Ogoal) > 0, 
0 € Q, and mE {<,<,>,>}. Then we have PEŠ [6] X 0 iff CES, x ð. 
Further, if Prt” (Qgoal) > 0, then PES"? [-6] 0 iff CES pa 0. 


Sinit Sinit 
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Proof. The first claim follows from PE P [-0] = PES [0] — Piy (goal) - 0. 


Sinit 


The second claim follows by quantification over all schedulers. 


In [3], it is shown that deciding whether CE%!? p< 0 for xE {<, <, >, >} and 
0 € Q is PSPACE-hard even for acyclic MDPs. We conclude: 


Corollary 3. Given an MDP M, xE {<,<,>,>}, and 0 € Q, deciding 
whether PE sna > 0 is PSPACE-hard. 


Finiteness. We present criteria for the finiteness of PE%!P [b] and CES"). 
Detailed proofs can be found in Appendix A.1 of [17]. By slightly modifying the 
construction from [1] which removes end components only containing 0-weight 


cycles, we obtain the following result. 


Proposition 4. Let M be an MDP which does not contain positively weight- 
divergent end components and letb € Q. Then there is a polynomial time trans- 
formation to an MDP N containing all states from M and possibly an additional 
absorbing state fail such that 


— all end components of N have negative maximal expected mean payoff, 
— for any scheduler © for M there is a scheduler ©' for N with Pryy,s(Ogoal) = 


Pr& (goal) and PES, [b] = PEŠ [b] for any state s in M, and vice versa. 


Hence, we can restrict ourselves to MDPs in which all end components have 
negative maximal expected mean payoff if there are no positively weight diver- 
gent end components. The following result is now analogous to the result in [1] 
for the classical SSP problem. 


Proposition 5. Let M be an MDP and b € R arbitrary. The optimal par- 
tial expectation PEŠ? [b] is finite if and only if there are no positively weight- 
divergent end components in M. 


To obtain an analogous result for conditional expectations, we observe that 
the finiteness of the maximal partial expectation is necessary for the finiteness 
of the maximal conditional expectation. However, this is not sufficient. In [3], 
a critical scheduler is defined as a scheduler G for which there is a path con- 
taining a positive cycle and for which Pte. (goal) = 0. Given a critical sched- 
uler, it is easy to construct a sequence of schedulers with unbounded condi- 
tional expectation (see Appendix A.1 of [17] and [3]). On the other hand, if 
Prieto (O goal) > 0, then CE"? is finite if and only if P<"? is finite. We will 
show how we can restrict ourselves to this case if there are no critical schedulers: 

So, let M be an MDP with Prt simu (Ogoal) = 0 and suppose there are 
no critical schedulers for M. Let So be the set of all states reachable from 
Sinit While only choosing actions in Act™™. As there are no critical schedulers, 
(So, Act™™) does not contain positive cycles. So, there is a finite maximal weight 
ws among paths leading from Sinit to s in So. Consider the following MDP N: 
It contains the MDP M and a new initial state tini. For each s € So and each 
a € Act(s) \ Act™™(s), N also contains a new state ts which is reachable from 
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tinit Via an action s aœ with weight ws and probability 1. In tsa, only action a 
with the same probability distribution over successors and the same weight as 
in s is enabled. So in N, one has to decide immediately in which state to leave 
So and one accumulates the maximal weight which can be accumulated in M 
to reach this state in So. In this way, we ensure that PLT Fence (O goal) > 0. 


Proposition 6. The constructed MDP N satisfies CEN”, = CEM sma” 


We can rely on this reduction to an MDP in which goal is reached with pos- 
itive probability for «approximations and the exact computation of the optimal 
conditional expectation. In particular, the values ws for s € So are easy to com- 
pute by classical shortest path algorithms on weighted graphs. Furthermore, we 
can now decide the finiteness of the maximal conditional expectation. 
Proposition 7. For an arbitrary MDP M, CEVA sini is finite if and only if there 


it 
are no positively weight-divergent end components and no critical schedulers. 


Partial and Conditional Expectations in Markov Chains. Markov chains 
with integer weights can be seen as MDPs with only one action a enabled in 
every state. Consequently, there is only one scheduler for a Markov chain. Hence, 
we drop the superscripts in p™** and PE*"P. 


Proposition 8. The partial and conditional expectation in a Markov chain C 
are computable in polynomial time. 


Proof. Let a be the only action available in C. Assume that all states from 
which goal is not reachable have been collapsed to an absorbing state fail. Then 
PEC sin is the value of £s,« in the unique solution to the following system of 
linear equations with one variable x, for each state s: 


Xgoal = Lfail = 0, 


Ls = wgt(s,a)-pst 5 P(s,a,t)- x; for s € S \ {goal, fail}. 
t 


The existence of a unique solution follows from the fact that {goal} and {fail} 
are the only end components (see [18]). It is straight-forward to check that 
(PEc.s)ses is this unique solution. The conditional expectation is obtained 
from the partial expectation by dividing by the probability Ps,„ to reach the 
goal. o 


This result can be seen as a special case of the following result. Restricting 
ourselves to schedulers which reach the goal with maximal or minimal proba- 
bility in an MDP without positively weight-divergent end components, linear 
programming allows us to compute the following two memoryless deterministic 
schedulers (see [3,8]). 
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Proposition 9. Let M be an MDP without positively weight-divergent end com- 
ponents. There is a scheduler Mar € MD™ such that for each s € S we have 
Pr? (goal) = p™®* and PE™’** = supe PEŠ where the supremum is taken 
over all schedulers © with Pr°(Qgoal) = p™?*. Similarly, there is a scheduler 
Min € MDM maximizing the partial expectation among all schedulers reach- 
ing the goal with minimal probability. Both these schedulers and their partial 
expectations are computable in polynomial time. 


These schedulers will play a crucial role for the approximation of the maximal 
partial expectation and the exact computation of maximal partial expectations 
in MDPs with non-negative weights. 


Partial Expectations in MDPs with Non-negative Weights. In [8], the 
computation of maximal partial expectations in stochastic multiplayer games 
with non-negative weights is presented. We adapt this approach to MDPs with 
non-negative weights. A key result is the existence of a saturation point, a bound 
on the accumulated weight above which optimal schedulers do not need memory. 

In the sequel, let R € Q be arbitrary, let M be an MDP with non-negative 
weights, PES"? < oo, and assume that end components have negative maximal 
mean payoff (see Proposition 4). A saturation point for bias R is a natural 
number p such that there is a scheduler © with PEŠ [R] = PES’? [R] which is 
memoryless and deterministic as soon as the accumulated weight reaches p. Le. 
for any two paths m and 7’, with last(7) = last(n') and wgt(z), wgt(n') > p, 
S(r) = G(r’). 

Transferring the idea behind the saturation point for conditional expectations 
given in [3], we provide the following saturation point which can be considerably 
smaller than the saturation point given in [8] in stochastic multiplayer games. 
Detailed proofs to this section are given in Appendix A.2 of [17]. 

Proposition 10. We define p3? := X peg P(s,a,t) pp and PETS = pres: 


s,Q 8, 


wgt(s,a) + Xes P(s, a, t) - PE. Then, 


poe pre 
PR i= sup : 


max _ pmax 
Ds Ps a 


s E€ S,a E€ Act(s) \ samo} -R 


is an upper saturation point for bias R in M. 


The saturation point pr is chosen such that, as soon as the accumulated 
weight exceeds pr, the scheduler Star is better than any scheduler deviating 
from Sar for only one step. So, the proposition states that ar is then also 
better than any other scheduler. 

As all values involved in the computation can be determined by linear pro- 
gramming, the saturation point pr is computable in polynomial time. This also 
means that the logarithmic length of pr is polynomial in the size of M and 
hence ppr itself is at most exponential in the size of M. 


Proposition 11. Let R € Q and let Br be the least integer greater or equal 
to pr + MaXses,acact(s) Wgt(s,a) and let S := S \ {goal, fail}. The values 
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(PES? [r+-R])ses'o<r<Bp form the unique solution to the following linear pro- 
gram in the variables (£s r)ses',0<r<Br (r ranges over integers): 
Minimize Dees’ 0<r<Bp £s r under the following constraints: 


For r > Pr: Ler = Ds": (r+R) + BFF, 
forr < pr and a € Act(s) : 


£s r > P(s,a, goal) - (r+R+wgt(s,a)) + 5 P(5s, a, t) - £t r+wgt(s,a). 
tes! 


From a solution x to the linear program, we can easily extract an optimal 
weight-based deterministic scheduler. This scheduler only needs finite memory 
because the accumulated weight increases monotonically along paths and as soon 
as the saturation point is reached Nar provides the optimal decisions. As Br is 
exponential in the size of M, the computation of the optimal partial expectation 
via this linear program runs in time exponential in the size of M. 


4 Existence of Optimal Schedulers 


We prove that there are optimal weight-based deterministic schedulers for partial 
and conditional expectations. After showing that, if finite, PE%'P is equal to 
supec wpm PE ae we take an analytic approach to show that there is a weight- 
based deterministic scheduler maximizing the partial expectation. We define a 
metric on WD™ turning it into a compact space. Then, we prove that the 
function assigning the partial expectation to schedulers is upper semi-continuous. 
We conclude that there is a weight-based deterministic scheduler obtaining the 
maximum. Proofs to this section can be found in Appendix B of [17]. 


Proposition 12. Let M be an MDP with PES"? < oo. Then we have PES’? = 
6 


Sinit 


SUD6Ge_E Wwbp™ PE 


Proof sketch. We can assume that all end components have negative maximal 
expected mean payoff (see Proposition 4). Given a scheduler G € HR™ , we take 
the expected number of times 6, that s is visited with accumulated weight 
w under G for each state-weight pair (s, w), and the expected number of times 
Os wa that G then chooses a. These values are finite due to the negative maximal 
mean payoff in end components. We define the scheduler Z € WR™ choosing a 
in s with probability 0s, w,a/Os,w When weight w has been accumulated. Then, 
we show by standard arguments that we can replace all probability distributions 
that T chooses by Dirac distributions to obtain a scheduler F’ € WD™ such 
that PE? > PES 


Sinit — Sinit” 


It remains to show that the supremum is obtained by a weight-based deter- 
ministic scheduler. Given an MDP M with arbitrary integer weights, we define 
the following metric dM on the set of weight-based deterministic schedulers, 
i.e. on the set of functions from S x Z — Act: For two such schedulers G and 
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T, we let d“(G,T) := 27E where R is the greatest natural number such that 
G {Sx {-(R-1),...,R-1} = | Sx {-(R-1),..., R—1} or œ if there is 
no greatest such natural number. 


Lemma 13. The metric space (Act®*%,d™) is compact. 


Having defined this compact space of schedulers, we can rely on the analytic 
notion of upper semi-continuity. 
Lemma 14 (Upper Semi-Continuity of Partial Expectations). If PE! is finite 
in M, then the function PE : (WD, dW?) — (Rx, d""*) assigning PES, to 
a weight-based deterministic scheduler © is upper semi-continuous. 


The technical proof of this lemma can be found in Appendix B of [17]. We 
arrive at the main result of this section. 


Theorem 15 (Existence of Optimal Schedulers for Partial Expectations). If 
PES"? is finite in an MDP M, then there is a weight-based deterministic sched- 


Sinit 


uler © with PES? = PEŠ 


Sinit” 


Proof. If PES? is finite, then the map PE : (WD,dW®) — (Roo, d"4) is 
upper semi-continuous. So, this map has a maximum because (WD, dW?) is a 
compact metric space. 


Corollary 16 (Existence of Optimal Schedulers for Conditional Expectations). 
If CES" is finite in an MDP M, then there is a weight-based deterministic 


Sinit 


scheduler G with CE}? = CES 


Sinit’ 


Proof. By Proposition 6, we can assume that Proin (o goal) > 0. We know that 
PES? |- CEZ} | = 0 and that there is a weight-based deterministic scheduler 


Sinit 


6 with PES [-CE%P] = 0. By Proposition 2, 6 maximizes the conditional 


Sinit Sinit 


expectation as it reaches goal with positive probability. 


The MDP N: The MDP M: 


Fig. 2. All non-trivial transition probabilities are 1/2. In the MDP M, the optimal 
choice to maximize the partial expectation in t depends on the parity of the accumu- 
lated weight. 
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In MDPs with non-negative weights, the optimal decision in a state s only 
depends on s as soon as the accumulated weight exceeds a saturation point. In 
MDPs with arbitrary integer weights, it is possible that the optimal choice of 
action does not become stable for increasing values of accumulated weight as we 
see in the following example. 


Example 17. Let us first consider the MDP N depicted in Fig. 2. Let m be a 
path reaching t for the first time with accumulated weight r. Consider a scheduler 
which chooses (@ for the first k times and then a. In this situation, the partial 
expectation from this point on is: 


k k+1 
1 1 , 1o 1 n hos 
Qk+I (r—k) 4 > la i) = Qk | ` ie i)= gk T" 2. 
i=1 i=1 


For r > 2, this partial expectation has its unique maximum for the choice k = 
r—2. This already shows that an optimal scheduler needs infinite memory. No 
matter how much weight r has been accumulated when reaching t, the optimal 
scheduler has to count the r—2 times it chooses £8. 

Furthermore, we can transfer the optimal scheduler for the MDP N to the 
MDP M. In state t, we have to make a nondeterministic choice between two 
action leading to the states go and q1, respectively. In both of these states, action 
b is enabled which behaves like the same action in the MDP NM except that it 
moves between the two states if goal is not reached. So, the action a is only 
enabled every other step. As in M, we want to choose a after choosing 8 r—2 
times if we arrived in ¢ with accumulated weight r > 2. So, the choice in t 
depends on the parity of r: For r = 1 or r even, we choose 6. For odd r > 3, we 
choose y. This shows that the optimal scheduler in the MDP M needs specific 
information about the accumulated weight, in this case the parity, no matter 
how much weight has been accumulated. 

In the example, the optimal scheduler has a periodic behavior when fixing 
a state and looking at optimal decisions for increasing values of accumulated 
weight. The question whether an optimal scheduler always has such a periodic 
behavior remains open. 


5 Approximation 


As the optimal values for partial and conditional expectation can be irrational, 
there is no hope to compute these values by linear programming as in the case of 
non-negative weights. In this section, we show how we can nevertheless approx- 
imate the values. The main result is the following. 

Theorem 18. Let M be an MDP with PEX?,., < © and e > 0. The maximal 
partial expectation PE eee can be approximated up to an absolute error of e 
in time exponential in the size of M and polynomial in log(1/e). If further, 
CEM sa < ©, also CEM sı can be approximated up to an absolute error of e 
in time exponential in the size of M and polynomial in log(1/e). 
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We first prove that upper bounds for PEY?,, and CES s, can be com- 
puted in polynomial time. Then, we show that there are e-optimal schedulers for 
the partial expectation which become memoryless as soon as the accumulated 
weight leaves a sufficiently large weight window around 0. We compute the opti- 
mal partial expectation of such a scheduler by linear programming. The result 
can then be extended to conditional expectations. 


Upper Bounds. Let M be an MDP in which all end components have negative 
maximal mean payoff. Let 6 be the minimal non-zero transition probability in 
M and W := maxses.ac Act(s) |wgt(s, a)|. Moving through the MEC-quotient, 
the probability to reach an accumulated weight of |S|-W is bounded by 1 — 6!*! 
as goal or fail is reached within S steps with probability at least 1 — 6!S!. It 
remains to show similar bounds inside an end component. 

We will use the characterization of the maximal mean payoff in terms of 
super-harmonic vectors due to Hordijk and Kallenberg [13] to define a super- 
martingale controlling the growth of the accumulated weight in an end compo- 
nent under any scheduler. As the value vector for the maximal mean payoff in 
an end component is constant and negative in our case, the results of [13] yield: 


Proposition 19 (Hordijk, Kallenberg). Let E = (S, Act) be an end component 
with maximal mean payoff —t for some t > 0. Then there is a vector (Us)ses 
such that —t + us > wgt(s,a) + i yeg P(s, a, 8’): Ue’. 

Furthermore, let v be the vector (—t,...,—t) in RS. Then, (v,u) is the solu- 
tion to a linear program with 2|S| variables, 2|S||Act| inequalities, and coeffi- 


cients formed from the transition probabilities and weights in E. 


We will call the vector u a super-potential because the expected accumulated 
weight after 7 steps is at most us — mintes uz — i-t when starting in state s. Let 
G be a scheduler for € starting in some state s. We define the following random 
variables on G-runs in £: let s(i) € S be the state after i steps, let a(i) be the 
action chosen after i steps, let w(i) be the accumulated weight after i steps, and 
let 7(i) be the history, i.e. the finite path after i steps. 


Lemma 20. The sequence m(i) := w(t) + Us satisfies E(m(i + 1)|7(0),..., 
m(i)) < m(i) —t for all i. 


Proof. By Proposition 19, E(m(i+1)|z(0),...,7(2)) —m(2) = wgt(s(z), S(r (i))) 
+ Lowes P(s(%), S(a(i)), s') Us — Us(i) <t. 


We are going to apply the following theorem by Blackwell [6]. 


Theorem 21 (Blackwell [6]). Let Xı, X2,... be random variables, and let 
Sac= y Xp. Assume that |X;| < 1 for all i and that there is au > 0 


t 
such that E(Xn41|X1,-..,Xn) < —u. Then, Pr(sup,en Sn > t) < (45) ; 


1 This means that m(i) + i- t is a super-martingale with respect to the history (i). 
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We denote maxgeg us —MiNgeg Us’ by ||u||. Observe that |m(i+1)—m(z)| < 
lull +W =: ce. We can rescale the sequence m(i) by defining m'(i) := (m(i) — 
m(0))/ce. This ensures that m/(0) = 0, |m’(¢ +1) — m’(a)| < 1 and E(m’(i + 
1)|m’(0),...,m'(i)) < —t/ce for all i. In this way, we arrive at the following 
1-t/c 
Tee i 


conclusion, putting Ag := 


Corollary 22. For any scheduler G and any starting state s in E, we have 
Pr(Qwgt > (k+1)- ce) < AE. 


Proof. By Theorem 21, Pr (Qwgt > (k +1) ce) < Pr? (Owgt > |lul| +k- ce) < 
2 


k 
PrÊ (i : m(i) — m(0) > k - ce) = Pr (supjew m'(i) > k) < (FHS) 


Let MEC be the set of maximal end components in M. For each € € MEC, 
let Ae and cg be as in Corollary 22. Define Am := 1 — (515! ‘Tleemec(1 — àe)), 
and cm := |S|-W + X ecmec ce. Then an accumulated weight of cm cannot 
be reached with a probability greater than Am because reaching accumulated 
weight cm would require reaching weight ce in some end component E or reaching 
weight |S|-W in the MEC-quotient and 1—Am is a lower bound on the probability 
that none of this happens (under any scheduler). 


Proposition 23. Let M be an MDP with PES’? < oo. There is an upper bound 
PE“ for the partial expectation in M computable in polynomial time. 


Proof. In any end component €, the maximal mean payoff —t and the super- 
potential u are computable in polynomial time. Hence, cg and Ag, and in turn 
also cm and Am are also computable in polynomial time. When we reach accu- 
mulated weight cm for the first time, the actual accumulated weight is at most 
cm + W. So, we conclude that Pr™**(Qwgt > k- (em + W)) < AK,. The 


partial expectation can now be bounded by Xp olk +1) - (em + W) - A, = 
em+W 
G-åm)? 


Corollary 24. Let M be an MDP with CES s, < 00. There is an upper bound 


CE” for the conditional expectation in M computable in polynomial time. 


Proof. By Proposition 6, we can construct an MDP M in which goal is reached 
with probability q > 0 in polynomial time with CEP, | = CEN sna Now, 


CE”? := PE“? /q is an upper bound for the conditional expectation in M. 


Approximating Optimal Partial Expectations. The idea for the approxi- 
mation is to assume that the partial expectation is fed Dag + w- pr if a high 
weight w has been accumulated in state s. Similarly, for small weights w’, we 
use the value PE oe +w-p™™, We will first provide a lower “saturation point” 
making sure that only actions minimizing the probability to reach the goal are 
used by an optimal scheduler as soon as the accumulated weight drops below 


this saturation point. For the proofs to this section, see Appendix C.1 of [17]. 


init 
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Proposition 25. Let M be an MDP with PES? < œ. Let s € S and let 
E PE”? — PE?" as 
4s = pem mmn pm 
wea amin 


imizing the partial expectation in M satisfies G(s, w) € Act™™(s) if w < qs. 


Then any weight-based deterministic scheduler G max- 


Let q := minses qs and let D := PE”? — min{ PE”, PE?" |s € S}. Given 


€ > 0, we define RÌ := (em +W). [ees] and R7 :=q— RÌ. 


Theorem 26. There is a weight-based deterministic scheduler G such that the 
scheduler Z defined by 


G(r) if any prefix x’ of n satisfies RD < wgt(n’) < Rr, 

Mar(r) if the shortest prefix n! of n with wgt(n') g [R], RI] 
satisfies wgt(n’) > RY, 

Min(r) otherwise, 


T(r) = 


satisfies PE? > PEP — e. 


Sinit — Sinit 


This result now allows us to compute an e-approximation and an e-optimal 
scheduler with finite memory by linear programming, similar to the case of non- 
negative weights, in a linear program with Rt + R7 many variables and |Act|- 
times as many inequalities. 

Corollary 27. PES"? can be approximated up to an absolute error of € in time 


Sinit 


exponential in the size of M and polynomial in log(1/e). 


If the logarithmic length of 6 € Q is polynomial in the size of M, we can 
also approximate PE"? [6] up to an absolute error of e in time exponential in 
the size of M and polynomial in log(1/e): We can add a new initial state s with 
a transition to sini with weight 6 and approximate PE*"? in the new MDP. 


Transfer to Conditional Expectations. Let M be an MDP with CES? < 


oo and e > 0. By Proposition 6, we can assume that Pr UT sina (Ogoal) =: p 
is positive. Clearly, CE"? € [CE2"**, CE"*]. We perform a binary search to 


approximate CE3"": We put Ap := CE Par and Bo := CE“. Given A; and B;, 
let 0; := (A; + B;)/2. Then, we approximate PES"? |—0;] up to an absolute error 
of p-e. Let E; be the value of this approximation. If E; € [—2p-e, 2p-e], terminate 
and return 6; as the approximation for CES"? . If E; < —2p-e, put Aipı := Aj 
and Bi+1ı := 0;, and repeat. If E; > 2p - €, put Aj41 := 0; and Bj, := B;, and 
repeat. 


Proposition 28. The procedure terminates after at most [log((Aop— Bo)/(p-€)) | 
iterations and returns an 3¢-approximation of CES? in time exponential in the 
size of M and polynomial in log(1/e). 


The proof can be found in Appendix C.2 of [17]. This finishes the proof of 
Theorem 18. 
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6 Conclusion 


Compared to the setting of non-negative weights, the optimization of partial 
and conditional expectations faces substantial new difficulties in the setting of 
integer weights. The optimal values can be irrational showing that the linear 
programming approaches from the setting of non-negative weights cannot be 
applied for the computation of optimal values. We showed that this approach 
can nevertheless be adapted for approximation algorithms. Further, we were 
able to show that there are optimal weight-based deterministic schedulers. These 
schedulers, however, can require infinite memory and it remains open whether 
we can further restrict the class of schedulers necessary for the optimization. In 
examples, we have seen that optimal schedulers can switch periodically between 
actions they choose for increasing values of accumulated weight. Further insights 
on the behavior of optimal schedulers would be helpful to address threshold 
problems (“Is PES"? >07). 
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Abstract. We generalise Cayley’s theorem for monoids by providing an 
explicit formula for a (multi-sorted) equational theory represented by the 
type PX — X, where P is an arbitrary polynomial endofunctor with nat- 
ural coefficients. From the computational perspective, examples of effects 
given by such theories include backtracking nondeterminism (obtained 
with the original Cayley representation X — X), finite mutable state 
(obtained with n — X, for a constant n), and their different combina- 
tions (via nx X — X or X” — X). Moreover, we show that monads 
induced by such theories are implementable using the type formers avail- 
able in programming languages based on a polymorphic A-calculus, both 
as compositions of algebraic datatypes and as continuation-like monads. 
We give a set-theoretic model of the latter in terms of Barr-dinatural 
transformations. We also introduce CayMon, a tool that takes a poly- 
nomial as an input and generates the corresponding equational theory 
together with the two implementations of the induced monad in Haskell. 


1 Introduction 


The relationship between universal algebra and monads has been studied at least 
since Linton [13] and Eilenberg and Moore [4], while the relationship between 
monads and the general theory of computational effects (exceptions, mutable 
state, nondeterminism, and such) has been observed by Moggi [14]. By transitiv- 
ity, one can study computational effects using concepts from universal algebra, 
which is the main theme of Plotkin and Power’s prolific research programme 
(see [10, 20-24] among many others). 

The simplest possible case of this approach is to describe an effect via a 
finitary equational theory: a finite set of operations (of finite arities), together 
with a finite set of equations. One such example is the theory of monoids: 


Operations: J, € 
Equations: y(z,e) =x, yles) =x, ylyls,y), z) = y(x, yy, z)) 


© The Author(s) 2019 
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The above reads that the signature of the theory consists of two operations: 
binary y and nullary e. The equations state that y is associative, with € being 
its left and right unit.t One can also read this theory as a specification of back- 
tracking nondeterminism, in which the order of results matters, where y is an 
operation that creates a new computation as a choice between two subcompu- 
tations, while € denotes failure. The connection between the equational theory 
and the computational effect becomes apparent when we consider the monad of 
free monoids (that is, the list monad), which is in fact used to form backtracking 
computations in programming; see, for example, Bird’s pearl [1]. 

This suggests a simple recipe for computational effects: it is enough to come 
up with an equational theory, and out of the hat comes the induced monad 
of free algebras that implements the corresponding effect. Such an approach 
is indeed possible in the category Set, where every finitary equational theory 
admits a free monad, constructed by quotienting terms over the signature by 
the congruence induced by the equations. However, if we want to implement this 
monad in a programming language, the situation is not so simple, since in most 
programming languages (in particular, those without higher inductive types) 
we cannot generally express this kind of quotients. For instance, to describe a 
variant of nondeterminism that does not admit duplicate results, we may extend 
the theory of monoids with an equation stating that y is idempotent, that is, 
(a,x) = x. But, unlike in the case of general monoids, the monad induced by 
the theory of idempotent monoids seems to be no longer directly expressible 
in, say, Haskell. This means that there is no implementation that satisfies all 
the equations of the theory “on the nose”—one informal argument is that the 
representations of y(x, x) and x should be the same whatever the type of x, and 
this would require a decidable equality test on every type, which is not possible. 

Thus, both from the practical viewpoint of programming and as a question on 
the general nature of equational theories, it makes sense to ask which theories 
are “simple” enough to induce monads expressible using only the basic type 
formers, such as (co)products, function spaces, algebraic datatypes, universal 
and existential quantification. This question seems difficult in general, and to 
our knowledge there is little work that addresses it. In this paper, we focus on 
a small piece of this problem: we study a certain subset of such implementable 
equational theories, and conjure some novel extensions. 

The monads that we consider arise from Cayley representations. The over- 
all idea is that if a theory has an expressible, well-behaved (in a sense that 
we make precise in the paper) Cayley representation, the induced monad also 
has an expressible implementation. The well-known Cayley theorem for monoids 
states that every monoid with a carrier X embeds in the monoid of endofunc- 
tions X — X. In this paper, we generalise this result: given a polynomial Set- 
endofunctor P with natural coefficients, we provide an explicit formula for an 
equational theory such that its every algebra with a carrier X embeds in a certain 
algebra with the carrier given by PX — X. Then, we show that the monad of 


1 Although one usually writes y as an infix operation, we use a “functional” syntax, 
since, in the following, the arity of corresponding operations may vary. 
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free algebras of such a theory can be implemented as a continuation-like monad 
with the endofunctor given at a set A as: 


VX.(A > PX > X) > PX —> X (1) 


This type is certainly expressible in programming languages based on polymor- 
phic A-calculi, such as Haskell. 

However, before we can give the details of this construction, we need to 
address some technical issues. It is easy to notice that there may be more than 
one “Cayley representation” of a given theory: for example, a monoid X embeds 
not only in X — X, but also in a “smaller” monoid X LX , by which we 
mean the monoid of functions of the type X — X of the shape a +> q(b,a), 
where b € X. The same monoid X embeds also in a “bigger” monoid X? > X, 
in which we interpret the operations as y(f,g) = (x,y) => f(g(x,y), y) and 
€ = (x,y) + x. What makes X — X special is that instantiating (1) with 
PX = X gives a monad that is isomorphic to the list monad (note that in this 
case, the type (1) is simply the Church representation of lists). At the same time, 
we cannot use X <% X instead of X — X, since (1) quantifies over sets, and 
thus there is no natural candidate for y. Moreover, even though we may use the 
instantiation PX = X?, this choice yields a different monad (which we describe 
in more detail in Sect. 5.4). To sort this out, in Sect. 2, we introduce the notion of 
tight Cayley representation. This notion gives rise to the monad of the following 
shape, which is a strict generalisation of (1), where R is a Set-bifunctor of mixed 
variance: 


VX.(A> R(X, X)) > R(X, X) (2) 


Formally, all our constructions are set-theoretic—to focus the presentation, 
the connection with programming languages and type theory is left implicit. 
Thus, the second issue that we discuss in Sect. 2 is the meaning of the universal 
quantifier V in (1). It is known [27] that polymorphic functions of this shape enjoy 
a form of dinaturality proposed by Michael Barr (see Paré and Román [16]), 
called by Mulry strong dinaturality [15]. We model the universally quantified 
types above as collections of Barr-dinatural transformations, and prove that if 
R is a tight representation, the collection (2) is always a set. 

In Sect. 4, we give the formula that defines an equational theory given a 
polynomial functor P. In general, the theories we construct can be multi-sorted, 
which is useful for avoiding a combinatory explosion of the induced theories, 
hence a brief discussion of such theories in Sect. 3. We show that PX — X is 
indeed a tight representation of the generated theory. Then, in Sect. 5, we study 
a number of examples in order to discover what effects are denoted by the gen- 
erated theories. It turns out that each theory can be seen as a (rather complex, 
for nontrivial polynomial functors) composition of backtracking nondeterminism 
and finite mutable state. Moreover, in Sect. 6, we show that the corresponding 
monads can be implemented not only as continuation-like monads (1), but also 
in “direct style”, using algebraic datatypes. 

Since they are parametrised by a polynomial, both the equational theory and 
its representation consist of many indexed components, so it is not necessarily 
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trivial to get much intuition simply by looking at the formulas. To facilitate this, 
we have implemented a tool, called CayMon, that generates the theory from a 
given polynomial, and produces two implementations in Haskell: as a composi- 
tion of algebraic datatypes and as a continuation-like (“Cayley”) monad (1). The 
tool can be run in a web browser, and is available at http://pl-uwr.bitbucket. 
io/caymon. 


2 Tight Cayley Representations 


In this section, we take a more abstract view on the concept of “Cayley represen- 
tation”. In the literature (for example, [2,5,17,25]), authors usually define Cayley 
representations of different forms of algebraic structures in terms of embeddings. 
This means that given an object X, there is a homomorphism 0: X — Y toa 
different object Y, and moreover o has a retraction (not necessarily a homomor- 
phism) p: Y — X (meaning p-o = id). One important fact, which is usually left 
implicit, is that the construction of Y from X is in some sense functorial. Since 
we are interested in coming up with representations for many different equational 
theories, we first identify sufficient properties of such a representation needed to 
carry out the construction of the monad (2) sketched in the introduction. In 
particular, we introduce the notion of tight Cayley representation, which char- 
acterises the functoriality and naturality conditions for the components of the 
representation. 

As for notation, we use A — B to denote both the type of a morphism in a 
category, and the set of all functions from A to B (the exponential object in Set). 
Also, for brevity, we write the application of a bifunctor to two arguments, e.g., 
G(X,Y), without parentheses, as GXY. We begin with the following definition: 


Definition 1 (see [16]). Let €, 2 be categories, and G, H : CP x © — P be 
functors. Then, a collection of J-morphisms 0x : GXX — HXX indexed by 
€ -objects is called a Barr-dinatural transformation if it is the case that for all 
objects A in 2, objects X, Y in C, morphisms fı : A> GXX, fo: A> GYY 
in 2, and a morphism g: X >Y in@, 


GX X GX X a AXX 
pF np Ne 
if A Gxy commutes, then 4 HXY commutes. 
aX / aY AN by HgY 
GYY GYY —> HYY 


An important property of Barr-dinaturality is that the component-wise com- 
position gives a well-behaved notion of vertical composition of two such trans- 
formations. The connection between Barr-dinatural transformations and Cayley 
representations is suggested by the fact, shown by Paré and Román [16], that 
the collection of such transformations of type H — H for the Set-bifunctor 
H(X,Y) = X — Y is isomorphic to the set of natural numbers. The latter, 
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equipped with addition and zero (or the former with composition and the identity 
transformation, respectively), is simply the free monoid with a single generator, 
that is, an instance of (1) with PX = X and A=1. 

For the remainder of this section, assume that 7 is a category, while F : 
Set — J is a functor with a right adjoint U : Z — Set. Intuitively, 7 is a 
category of algebras of some theory, and U is the forgetful functor. Then, the 
monad generated by the theory is given by the composition UF’. For a function 
f:A— UX, we write f = Uf’: UFA — UX, where f’ : FA — X is the 
contraposition of f via the adjunction (intuitively, the unique homomorphism 
induced by the freeness of the algebra FA). 


Definition 2. A tight Cayley representation of Y with respect to F 4 U con- 
sists of the following components: 


(a) A bifunctor R : Set°? x Set — Set, 

(b) For each set X, an object RX in J, such that URX = RXX, 

(c) For all sets A, X, Y and functions fı : A > RXX, fo: A — RYY, 
g:X >Y, itis the case that 


RXX RXX 
fi RXq fi RXg 
if A 7 N commutes, then Ei N commutes. 
BN J tay aN J tov 
RYY RYY 


(d) For each object M in Z, a morphism om : M > R(UM) in J, such that 
Uom : UM — R(UM)(UM) is Barr-dinatural in M, 

(e) A Barr-dinatural transformation py : R(UM)(UM) — UM, such that 
pm: Uoy = id, 

(f) For each set X, a set of indices Ix and a family of functions runy, : 
RXX — X, where i € Ix, such that R(RXX)runx is a jointly monic 
family, and the following diagram commutes for all X andi € Ix: 


RXX = > R(RXX)(RXX) 
ie SN [raxo 


R(RXX)X 


Note that the condition (c) states that the objects R are, in a sense, natu- 
ral. Intuitively, understanding an object RX as an algebra, the condition states 
that the algebraic structure of RX does not really depend on the set X. The 
condition (f) may seem rather complicated: the intuition behind the technical 
formulation is that RXY behaves like a form of a function space (after all, we 
are interested in abstract Cayley representations), and runx,; is an application 
to an argument specified by i, as in the example below. In such a case, the joint 
monicity becomes the extensional equality of functions. 
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Example 3. Let us check how Cayley representation for monoids fits the defi- 
nition above: (a) The bifunctor is RXY = X — Y. (b) The Z-object for a 
monoid M is the monoid M — M with y(f,g) = fog and e€ = id. (c) Given 
some elements a,b,...,c € A, we need to see that go fi(a) o fi(b) o--- 0 filc) = 
fo(a)o fo(b)o- - -o fo(c)og. Fortunately, the assumption, which in this case becomes 
go fi(a) = fo(a) og for all a € A, allows us to “commute” g from one side of the 
chain of function compositions to the other. (d) om(a) = b+ ¥(a, b). It is easy 
to verify that it is a homomorphism. The Barr-dinaturality condition: assuming 
f(m) = n for some m € M and n € N, and a homomorphism f : M > N, 
it is the case that, omitting the U functor, Rf N(on(n)) = RfN(on(f(m))) = 
br y( f(m), f(b)) = b — f(y(m,b)) = RM f(om(m)), where the equalities can 
be explained respectively as: assumption in the definition of Barr-dinaturality, 
unfolding definitions, homomorphism, unfolding definitions. (e) pm(f) = f(e). 
It is easy to show that it is Barr-dinatural; note that we need to use the fact 
that Z-morphisms (that is, monoid homomorphisms) preserve £. (f) We define 
Ix = X, while runx;(f) = fù. 


The first main result of this paper states that given a tight representation 
of J with respect to F 4 U, the monad given by the composition UF can be 
alternatively defined using a continuation-like monad constructed with sets of 
Barr-dinatural transformations: 


Theorem 4. For a tight Cayley representation R with respect to F 4 U, ele- 
ments of the set UFA are in 1-1 correspondence with Barr-dinatural transfor- 
mations of the type (A => RXX) — RXX. In particular, this means that the 
latter form a set. Moreover, this correspondence gives a monad isomorphism 
between UF and the evident continuation-like structure on (2), given by the 
unit (na(a))x(f) = f(a) and the Kleisli extension (f*(k))x(g) = kx(a => 
(f(a))x(g))- 


We denote the set of all Barr-dinatural transformations from the bifunctor 
(X,Y) = A > RXY to Ras VX.(A — RXX) > RXX. This gives us a 
monad similar in shape to the continuation monad, or, more generally, Kock’s 
codensity monad [12] embodied using the formula for right Kan extensions as 
ends. One important difference with the codensity monad (except, of course, 
the fact that we have bifunctors on the right-hand sides of arrows) is that we 
use Barr-dinatural transformations instead of the usual dinatural transforma- 
tions [3]. Indeed, if we use ends instead of V, the end f(A > RXX) > RXX 
is given as the collection of all dinatural transformations of the given shape. It is 
known, however, that even in the simple case when A= 1 and RXY = X >Y, 
this collection is too big to be a set (see the discussion in [16]), hence such end 
does not exist. 


3 Multi-sorted Equational Theories with a Main Sort 


The equational theories that we generate in Sect.4 are multi-sorted, which is 
useful for trimming down the combinatorial complexity of the result. This turns 
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out to be, in our view, essential in understanding what computational effects 
they actually represent. In this section, we give a quick overview of what kind 
of equational theories we work with, and discuss the construction of their free 
algebras. 

We need to discuss the free algebras here, since we want the freeness to be 
with respect to a forgetful functor to Set, rather than to the usual category of 
sorted sets; compare [26]. This is because we want the equational theories to 
generate monads on Set, as described in the previous section. In particular, we 
are interested in theories in which one of the sorts is chosen as the main one, and 
work with the functor that forgets not only the structure, but also the carriers 
of all the other sorts, only preserving the main one. Luckily, this functor can be 
factored as a composition of two forgetful functors, each with an obvious left 
adjoint. 

In detail, assume a finite set of sorts S = {2,ki,...,Ka} for some d € N, 
where §2 is the main sort. The category of sorted sets is simply the category 
Set!5!, where |S| is the discrete category generated by the set S. More explicitly, 
the objects of Set!*! are tuples of sets (one for each sort), while morphisms are 
tuples of functions. Given an S-sorted finitary theory {, we denote the category 
of its algebras as {-Alg. To see that the forgetful functor from Y-Alg to Set has 
a left adjoint, consider the following composition of adjunctions: 


Xe (X,0,...,0) free 
a < ~~ 
Set Set!S! T-Alg 
an = _ 
(X, Aı1,..., Aa) > X carriers 


This means that the free algebra for each sort has the carrier given by the set 
of terms of the given sort (with variables appearing only at positions intended 
for the main sort 9) quotiented by the congruence induced by the equations. 
This kind of composition of adjunctions is similar to [18], but in this case the 
compound right adjoints of the theories given in the next section are monadic. 


4 Theories from Polynomial Cayley Representations 


In this section, we introduce algebraic theories that are tightly Cayley- 
represented by PX — X for a polynomial functor P. Notation-wise, whenever 
we write i < k for a fixed k € N, we mean that i is a natural number in 


the range 1,...,k, and use [x,];<, to denote a sequence 2,..., 2%. The latter 
notation is used also in arguments of functions and operations, so f(([xi]i<x) 
means f(21,...,2%%), while f(x, [yi]i<,) means f(z, y1,..-, Yk). We sometimes 


use double indexing; for example, by MW es Xij —> Y for some [ti]i<k, 
we mean the type Xi, X00 X Xiti X ++: X Xka Xt X Xkty  Y. This 
is matched by a double-nested notation in arguments, that is, f([[x?];<t]i<x) 
means f(zt,...,2{1,...,2},...,a;*). Also, whenever we want to repeat an argu- 
ment k-times, we write [x],; for example, f({z]3) means f(x,2,x). Because we 
use a lot of sub- and superscripts as indices, we do not use the usual notation for 
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exponentiation. This means that x’ always denotes some x at index i, while a 
k-fold product of some type X, ordinarily denoted X*, is written as 1a Vi X. We 
use the [-] brackets to denote the interpretation of sorts and operations in an 
algebra (that is, a model of the theory). If the algebra is clear from the context, 
we skip the brackets in the interpretation of operations. 

For the rest of the paper, let d € N (the number of monomials in the polyno- 
mial) and sequences of natural numbers [c;|;<q and [e;]:<a (the coeffcients and 
exponents respectively) define the following polynomial endofunctor on Set: 


d 
PX=X c x]J]” X, (3) 


i=1 


where c; is an overloaded notation for the set {1,...,c;}. With this data, we 
define the following equational theory: 


Definition 5. Assuming d, [cili<a, and [ei]i<a as above, we define the following 
equational theory Z: 


— Sorts: 
Q (main sort) 
K;, for all i < d 
— Operations: 
cons : ][*_,][* K: > 2 
T: N> K,, for i < d and j < ci 
eÍ : Ki, for i < d and j < e; 
yÍ : Kj x TI Ki > Ki, for i,j <d 
— Equations: 
ri (cons(fe!])<e,lica)) = 2! (beta-n) 
cons([[77 (x)] ;<c,]ica) = © (eta-7) 
y (ef, [te]e<e,) = Tk (beta- £) 
(2, leflice) = (eta-e) 
an (F(z (x, [y] t<e a [zs]s<e;) = që (z, RA (Yt, [zs]s<e;)lt<er) (assoc-y) 


Thus, in the theory {, there is a main sort 2, which we think of as corre- 
sponding to the entire functor, and one sort K; for each “monomial” JJ” X. 
Then, we can think of 2 as a tuple containing elements of each sort, where each 
sort K; has exactly c; occurrences. The fact that £2 is a tuple, which is witnessed 
by the cons and 7 operations equipped with the standard equations for tupling 
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and projections, is not too surprising—one should keep in mind that T is a the- 
ory represented by the type PX — X, which can be equivalently given as the 
product of function spaces c; x [[" X > X for all i < d. 

Each operation y? can be used to compose an element of K; and e; elements 
of K; to obtain an element of K;. The € constants can be seen as selectors: 
n (beta-e), ek in the first argument of y? selects the k-th argument of the 
sort K;, while the (eta-e) equation states that composing a value of K; with the 
successive selectors of K; gives back the original value. The equation (assoc-7) 
states that the composition of values is associative in an appropriate sense. In 
Sect. 5, we provide a reading of the theory Ẹ as a specification of a computational 
effect for different choices of d, ci, and e;. 


Remark 6. If it is the case that e; = ej for some i,j < d, then the sorts K; 
and K; are isomorphic. This means that in every algebra of such a theory, there 
is an isomorphism of sorts y : [Ki] > [A], given by v(x) = y; (x, lef Ince) This 
suggests an alternative setting, in which instead of having a single c; x [[“ X 
comoponent, we can have c; components of the shape [[“ X. In such a setting, 
the equational theory { in Definition 5 would be slightly simpler—specifically, 
there would be no need for double-indexing in the types of cons and 7. On 
the downside, this would obfuscate the connection with computational effects 
described in Sect. 5 and some conjured extensions in Sect. 7. 


The theory Ẹ has a tight Cayley representation using functions from P, as 
detailed in the following theorem. This gives us the second main result of this 
paper: by Theorem 4, the theory F is the equational theory of the monad (1). 
The notation in; means the i-th inclusion of the coproduct in the functor P. 


Theorem 7. The equational theory Z from Definition 5 is tightly Cayley- 
represented by the following data: 


— The bifunctor RXY = PX >Y, 
- For a set X, the following algebra: 
e Carriers of sorts: 


[Q] = RXX 
[Ki] =I" X > x 
e Interpretation of operations: 


[cons] ([[fg]i<cule<a)(imi(c, [1]r<e,)) = ff ([wele<e,) 
IIA edece) = Flin (, [tele<e:)) 

[ef] (ledice:) = ay 

IIIC, lgrlese;)(ltlise:) = F (lge ([tele<e; )le<e;) 


- The homomorphism om for the main sort and sorts K;: 


oz (m)(ini(¢, [zt]i<e:)) = cons(([rk(mF(m), [ri (£t)]t<e:)lj<erlk<a) 


ohr(s)([tele<ex) = cons([[vk(s, [ah (£t)]t<e:)lj<erlk<a) 
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- The transformation pm: 


pm (f) = cons([[m}(f(ine(7, [cons([w7 ]rcks [Eklegs (We ]eer<a)|e<en)) licen lesa) 
where wf = [n°(f(in,(c, fe ÍJjzer aXe 


— The set of indices Ix = PX and the functions runx;(f) = f(2). 


In the representing algebra, it is the case that each [K;] represents one mono- 
mial, as mentioned in the description of T, while [Q] is the appropriate tuple 
of representations of monomials, which is encoded as a single function from a 
coproduct (in our opinion, this encoding turns out to be much more readable 
on paper), while cons and 7 are indeed given by tupling and projections. For 
each i < d, the function €? simply returns its j-th argument, while y is inter- 
preted as the usual composition of multi-argument functions. 

Homomorphisms between multi-sorted algebras are defined as operation- 
preserving functions for each sort, so ø is defined for the sort 92 and for each 
sort K;. In general, the point of Cayley representations is to encode an element m 
of an algebra M using its possible behaviours with other elements of the algebra. 
It is no different here: for each sort K; at the c-th occurrence in the tuple, the 
function g? packs (using cons) all possible compositions (by means of y) of val- 
ues of K; with the “components” of m (extracted using 7). The same happens 
for each s € [Kj] in o4,(s), but there is no need to unpack s, as it is already a 
value of a single sort. 

The transformation pm is a bit more complicated. The argument f is, in 
general, a function from a coproduct to M, but we cannot simply apply f to 
one value in;(...) for some sort K;, as we would obviously lose the information 
about the components in different sorts. This is why we need to apply f to all 
possible sorts with £ in the right place to ensure that we recover the original 
value. We extract the information about particular sorts from such values, and 
combine them using cons. Interestingly, the elements of wf could actually be 
replaced by any expression of the appropriate sort that is preserved by homo- 
morphisms, assuming that f is also preserved. This is needed to ensure that p 
is Barr-dinatural (the fact that f is preserved by homomorphisms is exactly the 
assumption in the definition of Barr-dinaturality). For example, if ep > 0 for 
some r < d, one can define wf simply as [e?],.. for some j < e,. The complicated 
expression in the definition of wf is a way to produce values also for sorts K, 
with e, = 0, which do not have any € constants. 


5 Effects Modeled by Polynomial Representations 


Now we describe what kind of computational effects are captured by the theo- 
ries introduced in the previous section. It turns out that they all are different 
compositions of finite mutable state and backtracking nondeterminism. These 
compositions include the two most basic ones: when the state is local for each 
nondeterministic branch, and when it is global to the entire computation. 
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In the following, if there is only one object of a given kind, we skip the indices. 
For example, if for some i, it is the case that e; = 1, we write £; instead of e}. If 
d = 1, we skip the subscripts altogether. 


5.1 Backtracking Nondeterminism via Monoids 


We recover the original Cayley theorem for monoids instantiating Theorem 7 
with PX = X, that is, d= 1 and cı = e1 = 1. In this case, we obtain two sorts, 
Q and K, while the equations (beta-7) and (eta-7) instantiate respectively as 
follows: 

m(cons(a)) =a, cons(n(x)) = <x 


This means that both sorts are isomorphic, so one can think of this theory as 
being single-sorted. Of course, this is always the case if d = 1 and cq = 1. 
Since e; = 1, the operation y is binary and there is a single € constant. The 
equations (beta-e) and (eta-e) say, respectively, that £ is the left and right unit 
of y, that is: 
qyle,x) =x, Y(t,e)=2 

Interestingly, the two unit laws for monoids are symmetrical, but in general 
the (beta-£) and (eta-c) equations are not. One should note that the symmetry 
is already broken when one implements free monoids (that is, lists) in a pro- 
gramming language: in the usual right-nested implementation, the “beta” rule 
is part of the definition of the append function, while the “eta” rule is a theorem. 
The (assoc-y) equation instantiates as the associativity of y: 


V(y(z,y), z) = V(x, Vy, z)) 


5.2 Finite Mutable State 


For n € N, if we take PX = n, that is, d = 1, cı = n and e = 0, we obtain 
the equational theory of a single mutable cell in which the set of possible states 
is {1,...,n}. There are two sorts in the theory: 2 and K. The sort K does not 
have any interesting structure on its own, as there are no constants £, and the 
equation (eta-£) instantiates to 


yz) = zx, 


which means that y is necessarily an identity. The fact that this theory is indeed 
the theory of state becomes apparent when we identify 2 as a sort of compu- 
tations that require some initial state to proceed, and K as computations that 
produce a final state. Then, the operations 77 : R — K (j < n) are the “update” 
operations, where mî sets the current state to j, while cons : [[” K — 2 is the 
“lookup” operation, in which the j-th argument is the computation to be exe- 
cuted if the current state is j. The equations (beta-7), for all j < n, and (eta-7) 
state respectively: 


m(cons([zilicn)) = £j, cons([a*(a)licn) = 2 
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These equations embody the natural behaviour rules for this limited form of 
state. The former reads that setting the current state to 7 and then proceeding 
with the computation x; if the current state is i is the same thing as simply 
proceeding with x; (note that x; is of the sort K, hence it does not use the 
information that the current state has just been updated to j, so there is no 
need to keep the 77 operation on the right-hand side of the equation). The latter 
states that if the current state is 7 and we set the current state to i, it is the 
same thing as not changing the state at all (note that x does not depend on the 
current state, as it is the same in every argument of cons). 

Interestingly, the presentations of equational theories for state in the litera- 
ture (for example, [7,23]) are all single-sorted. Such a setting can be recovered 
by defining the following macro-operations on the sort 92: 


put?: 2— 2 get: J 2> R 
put? (a) = cons((7? (x)]n) get([rili<n) = cons([m"(2i)]i<n) 
The trick here is that the get operation does not change the state (by setting the 
new state to the current one), while put does not depend on the current state 
(by having the same computation in every argument of cons). The usual four 
equations for the interaction of put and get can be obtained by unfolding the 
definitions and using the (beta-7) and (eta-7) equations: 
put? (put (x)) = put” (x) put? (get((vi]i<n)) = put? (2) 
get([get([riJi<n)]n) = get([vili<n) —— get([put’(wi)Ji<n) = get([ili<n) 
The connection with the implementation of state in programming becomes evi- 


dent when we take a closer look at the endofunctor of the induced monad from 
Theorem 4. Consider the following informal calculation: 


YVX.(A>n—>X)>n>X 


XYVX.n—>(A—>n>X)>X (flipping the arguments) 
Xn—>YX.(A>n>X)>X (V commutes with arrows) 
Xn—>YVYX.(Axn>X)>X (Curry) 
~n->Axn (Church) 


This means that not only do we prove that the equational theory corresponds to 
the usual state monad, but we can actually derive the implementation of state 
as the endofunctor At (n > A x n). 


5.3 Backtracking with Local State 


We obtain one way to combine nondeterminism with state using the functor 
PX = n x X, for n EN, that is, d= 1, cy = n and e, = 1. It has two sorts, 
NQ and K, which play roles similar to those detailed in the previous section. 
However, this time K additionally has the structure of a monoid. This gives 
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us the theory of backtracking with local state, which means that whenever we 
make a choice using the y operation, the computations in each argument carry 
separate, non-interfering states. In particular, in a computation y(x, y), both 
subcomputations x and y start with the same state, which is the initial state of 
the entire computation. This non-interference is guaranteed simply by the system 
of sorts: the arguments of y are of the sort K, which means that the stateful 
computations inside the arguments begin with 7, which sets a new state. 

We can also obtain a single-sorted theory, similar to the case of the pure 
state. To the put and get macro-operations, we add choice and failure as follows: 


choose: Nx 22. — (2 fail: 2 


choose(x, y) = cons( [y(r (x), 77(y))]j<n) fail = cons([e],) 


Then, the locality of state can be summarised by the following equality, which 
is easy to show using the (beta-7) and (eta-7) equations: 


put” (choose(x, y)) = choose(put* (x), put” (y)) 


5.4 Backtracking with Global State 


Another way to compose nondeterminism and state is by using global state, 
which is obtained for n € N and PX = X”, that is, d= 1, c = 1, and e = n. 
As in the case of pure backtracking nondeterminism, it means that the sorts 2 
and K are isomorphic. The intuitive understanding of the expression y(x, [yiJi<n) 
is: first perform the computation x, and then the computation y;, where i is the 
final state of the computation x. The operation ef is: fail, but set the current 
state to j. In this case, the equations (beta-e) instantiate to the following for 
all j < n: 
Ve"; [yilisn) = yj 

It states that if the first computation fails but sets the state to 7, the next step 
is to try the computation y;. Note that there is no other way to give a new state 
than via failure, but this can be circumvented using q(x, [e*],,) to set the state 
to k after performing x. The (eta-c) instantiates to: 


qlz, [e"]j<n) = 2 
This reads that if we execute x and then set the current state to the resulting 


state of x, it is the same as just executing x. 


6 Direct-Style Implementation 


Free algebras of the theory T from Definition 5 can also be presented as terms 
of a certain shape. They are best described as terms built using the operations 
from & that are well-typed according to the following typing rules, where the 
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types are called 2, K;, and P; for i < d. The type of the entire term is 2, and 
VAR(a) means that x is a variable. 


[2 R hka nge EB lwt Kies VaR(x) 


cons([[]j<clica): 2 $ vi (t, [welece,) : Ki n(x): P; 


Note that even though variables appear as arguments to the operations 7, they 
are not of the type 2. This means that the entire term cannot be a variable, as 
it is always constructed with cons as the outermost operation. Each argument 
of cons is a term of the type K; for an appropriate i, which is built out of the 
operations £ and y. Note that the first argument of y is always a variable wrapped 
in 7, while all the other arguments are again terms of the type K;. Overall, such 
terms can be captured as the following endofunctors on Set, where WŻ represents 
terms of the type K;, while W® represents terms of the type 2. By uY.GY we 
mean the carrier of the initial algebra of an endofunctor G. 


W'X = pY.e; + 3-4 (© X) x TI Y 
w?x =J] Twix 


Clearly, e; in the definition of W* represents the £; constants, while the second 
component of the coproduct is a choice between the y; operations with appro- 
priate arguments. 

It is the case that every term of the sort 2 can be normalised to a term of 
the type 2 by a term-rewriting system obtained by orienting the “beta” and 
“assoc” equations left to right, and eta-expanding variables at the top-level: 


Yili<en)s [Zsle<e,) G F(a, [vi (yes [zs]s<e;)lt<er) 
(x), [ef]a<e: )Ij<cilica) 


This term rewriting system gives rise to a natural implementation of the monadic 
structure, where the “beta” and “assoc” rules normalise the two-level term struc- 
ture, thus implementing the monadic multiplication, while the eta-expansion rule 
implements the monadic unit. 


7 Discussion 


The idea for employing Cayley representations to explore implementations of 
monads induced by equational theories is inspired by Hinze [8], who suggested 
a connection between codensity monads, Church representation of lists, and the 
Cayley theorem for monoids. We note that Hinze’s discussion is informal, but 
he suggests using ends, which, as we discuss in Sect. 2, is not sound. 

Most of related work follows one of two main paths: it either concentrates 
on algebraic explanation of monads already used in programming and semantics 
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(for example, [11,19,23]), or on the general connection between different kinds 
of algebraic theories and computational effects, but without much interest in 
whether it leads to structures implementable in a programming language. Some 
exceptions are the construction of the sum of a theory and a free theory [9] or the 
sum of ideal monads [6]. What we propose in Sect. 4 is a form of a “functional 
combinatorics”: given a type, what kind of algebra describes the possible values? 

As our approach veers off the main paths of the recent work on effects, there 
are many possible directions of future work. One interesting direction would be 
to generalise Set, the base category used throughout this paper, to more abstract 
categories. After all, we want to talk about structures definable only in terms of 
(co)products, exponentials, and quantifiers—which are all constructions whose 
universal properties are singled out and explored using (co)cartesian (or even 
monoidal) closed categories. However, the current development relies heavily on 
the particular properties of Set, such as extensional equality of functions, which 
appears in disguise in the condition (f) in Definition 2. 

One can also try to extend the type used as a Cayley representation. For 
example, we could consider the polynomial P in (3) to range over the space of 
all sets, that is, allow the coefficients c; to vary over sets rather than natural 
numbers. In the Cayley representation, it would be enough to consider functions 
from c; in place of c;-fold products. We would immediately gain expressiveness, 
as the obtained state monad would no longer need to be defined only for a finite 
set of possible states. On the flip side, this would make the resulting theory 
infinitary — which, of course, is not uncommon in the field of algebraic treatment 
of computational effects. However, we decide to stick to the simplest possible 
setting in this paper, which greatly simplifies the presentation, but still gives us 
some novel observations, like the fact that the theory of finite state is simply 
the theory of 2-sorted tuples in Sect.5.2, or the novel theory of backtracking 
nondeterminism with global state in Sect.5.4. Other future extensions that we 
believe are worth exploring include iterating the construction to obtain a from 
of a distributive tensor (compare Rivas et al.’s [25] “double” representation of 
near-semirings) or quantifying over more variables, leading to less interaction 
between sorts. 
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Abstract. We devise a variant of Dialectica interpretation of intuition- 
istic linear logic for LMSO, a linear logic-based version MSO over infinite 
words. LMSO was known to be correct and complete w.r.t. Church’s syn- 
thesis, thanks to an automata-based realizability model. Invoking Biichi- 
Landweber Theorem and building on a complete axiomatization of MSO 
on infinite words, our interpretation provides us with a syntactic app- 
roach, without any further construction of automata on infinite words. 
Via Dialectica, as linear negation directly corresponds to switching play- 
ers in games, we furthermore obtain a complete logic: either a closed 
formula or its linear negation is provable. This completely axiomatizes 
the theory of the realizability model of LMSO. Besides, this shows that 
in principle, one can solve Church’s synthesis for a given Va-formula by 
only looking for proofs of either that formula or its linear negation. 


Keywords: Linear logic - Dialectica interpretation - 
MSO on Infinite Words 


1 Introduction 


Monadic Second-Order Logic (MSO) over w-words is a simple yet expressive 
language for reasoning on non-terminating systems which subsumes non-trivial 
logics used in verification such as LTL (see e.g. [2,30]). MSO on w-words is decid- 
able by Biichi’s Theorem [6] (see e.g. [24,29]), and can be completely axiomatized 
as a subsystem of second-order Peano’s arithmetic [28]. While MSO admits an 
effective translation to finite-state (Biichi) automata, it is a non-constructive 
logic, in the sense that it has true (i.e.provable) VA 
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Church’s synthesis takes as input a YJ-formula of MSO and asks whether it 
can be realized by a finite-state causal stream transducer. Church’s synthesis 
is known to be decidable since Büchi-Landweber Theorem [7], which gives an 
effective solution to w-regular games on finite graphs generated by Va-formulae. 
In traditional (theoretical) solutions to Church’s synthesis, the game graphs are 
induced from deterministic (say parity) automata obtained by McNaughton’s 
Theorem [19]. Despite its long history, Church’s synthesis has not yet been 
amenable to tractable solutions for the full language of MSO (see e.g. [12]). 

In recent works [25,26], the authors suggested a Curry-Howard approach to 
Church’s synthesis based on intuitionistic and linear variants of MSO. In partic- 
ular, [26] proposed a system LMSO based on (intuitionistic) linear logic [13], in 
which via a translation (—)” : MSO — LMSO, the provable Y3(—)}-statements 
exactly correspond to the realizable instances of Church’s synthesis. Realizer 
extraction for LMSO is done via an external realizability model based on alter- 
nating automata, which amounts to see every formula y(a) as a formula of the 
form (du)(Vx)pp(u, x,a), where yp represents a deterministic automaton. 

In this paper, we use a variant of Gédel’s “Dialectica” functional interpreta- 
tion as a syntactic formulation of the automata-based realizability model of [26]. 
Dialectica associates to y(a) a formula y? (a) of the form (Ju)(Vxz)yp(u, 2, a). 
In usual versions formulated in higher-types arithmetic (see e.g. [1,16]), the for- 
mula yp is quantifier-free, so that y? is a prenex form of y. This prenex form 
is constructive, and a constructive proof of y can be turned to a proof of y? 
with an explicit witness for Ju. Even if Dialectica originally interprets intuition- 
istic arithmetic, it is structurally linear, and linear versions of Dialectica were 
formulated at the very beginning of linear logic [21-23] (see also [14,27]). 

We show that the automata-based realizability model of [26] can be obtained 
by a suitable modification of the usual linear Dialectica interpretation, in which 
the formula yp essentially represents a deterministic automaton on w-words 
and is in general not quantifier-free, and whose realizers are exactly the finite- 
state accepting strategies in the model of [26]. In addition to provide a syntactic 
extraction procedure with internalized and automata-free correctness proof, this 
reformulation has a striking consequence, namely that there exists an extension 
LMSO(€) of LMSO which is complete in the sense that for each closed formula 
y, it either proves ọ or its linear negation y — L. Since LMSO(€) has realizers 
for all provable Va(—)/-statements, its completeness contrasts with the classical 
setting, in which due to provable non-constructive statements, one can not decide 
Church’s synthesis by only looking for proofs of Va-statements or their negations. 
Besides, LMSO(€) has a linear choice axiom which is realizable in the sense of 
both (—)? and [26], but whose naive MSO counterpart is false. 

The paper is organized as follows. We present our basic setting in Sect. 2, 
with a particular emphasis on particularities of (finite-state) causal functions to 
model strategies and realizers. Our variant of Dialectica and the corresponding 
linear system are discussed in Sect.3, while Sect.4 defines the systems LMSO 
and LMSO(€) and shows the completeness of LMSO(¢). 
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2 Preliminaries 


Alphabets (denoted X, I, etc) are finite non-empty sets of the form 2? for some 
p EN. We let 1 := 2°. Note that alphabets are closed under Cartesian products 
and set-theoretic function spaces. It follows that taking [o] := 2, we have an 
alphabet [7] for each simple type 7 € ST, where 


o,7EST := 1 | o | oxt | o>rT 


We often write (r)o for the type ø — T. Given an w-word (or stream) B € XY 
and n € N, we write Bjn for the finite word B(0).--- .B(n — 1) € X*. 


Church’s Synthesis and Causal Functions. Church’s synthesis consists in 
the automatic extraction of stream functions from input-output specifications 
(see e.g. [12,31]). These specifications are in general asked to be w-regular, or 
equivalently definable in MSO over w-words. In practice, proper subsets of MSO 
(and even of LTL) are assumed (see e.g. [5,11,12]). As an example, the relation 


(4°k)B(k) = (S°K)C(k) resp. (V°K)B(k) => (I®k)C(k) (1) 


with input B € 2” and output C € 2” specifies functions F : 2” — 2” such 
that F(B) € 2” ~ P(N) is infinite whenever B € 2” ~ P(N) is infinite (resp. 
the complement of B is finite). One may also additionally require to respect the 
transitions of some automaton. For instance, following [31], in addition to either 
case of (1) one can ask C C B and C not to contain two consecutive positions: 


(vn)(C(n) + B(n)) and (Cn) > -C(n+1)) (3 


In any case, the realizers must be (finite-state) causal functions. A stream 
function F : YY — I is causal (notation F : X —>sş T) if it can produce a prefix 
of length n of its output from a prefix of length n of its input. Hence F is causal 
if it is induced by a map f : Xt — T as follows: 


F(B)(n) = f(B(0)-...- B(n)) (for all B € X°” and all n € N) 


The finite-state (f.s.) causal functions are those induced by Mealy machines. A 
Mealy machine M : X > T is a DFA over input alphabet X equipped with an 
output function À : Qu x X > I (where Qm is the state set of M). Writing 
O* : X* — Qm for the iteration of the transition function 0 of M from its initial 
state, M induces a causal function via (a.a € X+) + (A(0*(a),a) € T). 

Causal and f.s. causal functions form categories with finite products. Let S 
be the category whose objects are alphabets and whose maps from X to I’ are 
causal functions F : XY — I. Let M be the wide subcategory of S whose maps 
are finite-state causal functions.! 


1 A subcategory D of C is wide if D has the same objects as C. 
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CAO aa 


Fig. 1. A Mealy machine (left) and an equivalent eager (Moore) machine (right). 


Example 1. (a) Usual functions X — TI lift to (pointwise, one-state) maps 
X —y I’. For instance, the identity X >m X is induced by the Mealy machine 
with (0, à) : (—,a)  (-,a). 

(b) Causal functions 1 >s X correspond exactly to w-words B € X”. 

(c) The conjunction of (2) with either side of (1) is realized by the causal 

function F : 2 >m 2 induced by the machine M : 2 — 2 displayed on 
Fig. 1 (left, where a transition a|b outputs b from input a), taken from [31]. 


Proposition 1. The Cartesian product of 31,..., Xn (for n > 0) in S,M is 
given by the product of sets 3, x --- x Xn (so that 1 is terminal). 


The Logic MSO(M). Our specification language MSO(M) is an extension of 
MSO on w-words with one function symbol for each f.s. causal function. More 
precisely, MSO(M) is a many-sorted first-order logic, with one sort for each 


simple type 7 € ST, and with one function symbol of arity (01, .. . , on; T) for each 
map [oi] x---x [on] >m [7]. A term t of sort 7 (notation t7) with free variables 
among xj',..., 22" (we say that t is of arity (61, ..., On; T)) thus induces a map 
[t] : Jou] x -+ x [on] >m [7]. Given a valuation xz; > B; € [oi]” ~ S[1, [oJ] 
for i € {1,...,n}, we then obtain an w-word 


[t]o(Bi,---,Bn) € Saf = Il’ 


MSO(M) extends MSO with 3x7 and Vz" ranging over S[1,[7]] ~ [7]” and 
with sorted equalities t” = u” interpreted as equality over S[1,[7]] ~ [7]’. 
Write = p when vy holds in this model, called the standard model. The full 
definition of MSO(M) is deferred to Sect. 4.1. 

An instance of Church’s synthesis problem is given by a closed formula 
(Vx7)(Su7)yp(u, x). A positive solution (or realizer) of this instance is a term 
t(x) of arity (o; T) such that (V27)y(t(ax), x) holds. 

Proposition 1 implies that MSO(M) proves the following equations: 


ail tipses tn) =o; ti and t 501X Xn (m(t), <, Tn(t)) (3) 
Hence each formula Y(af',...,a77) can be seen as a formula p(a7!” X9»). 
Eager Functions. A causal function X —>sş T is eager if it can produce a prefix 


of length n+ 1 of its output from a prefix of length n of its input. More precisely, 
an eager F : X 4g I’ is induced by a map f : X* — T as 


F(B)(n) = f(B(0)-...-B(n—-1)) (for all B € XY” and all n € N) 
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Finite-state eager functions are those induced by eager (Moore) machines (see 
also [11]). An eager machine € : X > T is a Mealy machine X — I’ whose output 
function A : Qe — T is does not depend on the current input letter. An eager 
E: X — T induces an eager function via the map (a € X*) — (Ag (dz(a)) € T). 

We write F : X —>g I’ when F : X >s T is eager and F: X M I when F 
is f.s. eager. All functions F : X yy 1, and more generally, constants functions 
F : X —>sş T are eager. Note also that if F : X —>s T is eager, then F : X >pgm T. 
On the other hand, if F : X —>pgm T is induced by an eager machine € then F is 
finite-state causal as being induced by the Mealy machine with same states and 
transitions as €, but with output function (q,a) +> Ae (q). 

Eager functions do not form a category since the identity of S is not eager. 
On the other hand, eager functions are closed under composition with causal 
functions. 


Proposition 2. If F is eager and G, H are causal then H o F o G is eager. 


Isolating eager functions allows a proper treatment of strategies in games and 
realizers w.r.t. the Dialectica interpretation. Since Xt — [ ~ X* — I~, maps 
X I™ are in bijection with maps X +s I’. This easily extends to machines. 
Given a Mealy machine M : X — T, let A(M) : X — I~ be the eager machine 
defined as M but with output map taking q E€ Qm to (ar An(q,a)) EI”. 


Example 2. Recall the Mealy machine M : 2 > 2 of Ex. 1.(c). Then A(M) : 
2 — 2? is the eager machine displayed in Fig.1 (right, where the output is 
indicated within states). 


Eager f.s. functions will often be used with the following notations. First, let 
@ be the pointwise lift to M of the usual application function T¥ x X > I’. We 
often write (F)G for Q(F, G). Consider a Mealy machine M : X — I and the 
induced eager machine A(M) : X — I~. We have 


Fu(B) = @(Fam(B), B) (for all B € X”) 


Given F : [ —>g X”, we write e(F) for the causal @(F(—), —) : l >s X. Given 
F : I —g X, we write A(F) for the eager l >g X" such that F = e(A(F)). 
We extend these notations to terms. 

Eager functions admit fixpoints similar to those of contractive maps in the 
topos of tree (see e.g. [4, Thm. 2.4]). 


Proposition 3. For each F: X x I XT there is a fix(F): T >g XT s.t. 


fix(F)(C) = F(e(fix(F))(C), C) (forall C € I’) 


If F is induced by the eager machine E : X x I — XT, then fix(F) is induced by 
the eager H : I — XT defined as E but with ôn : (q, b) > ôe (q, ((Ae(q))b, b)). 


A Dialectica-Like Interpretation of a Linear MSO on Infinite Words 475 


Games. Traditional solutions to Church’s synthesis turn specifications to infi- 
nite two-player games with w-regular winning conditions. Consider an MSO(M) 
formula y(u”, x7) with no free variable other than u,x. We see this formula 
as defining a two-player infinite game G(p)(u7, x7) between the Proponent P 
Jloïse), playing moves in [|r] and the Opponent O (Vbélard), playing moves in 
lo]. The Proponent begins, and then the two players alternate, producing an 
infinite play of the form 


oN 


NX = Uxo UnXn e & ((uk)k, (Xe) € ET]? x fo]? 


The play x is winning for P if y((ux)x, (x)x) holds. Otherwise x is winning for 
O. Strategies for P resp. O in this game are functions 


[ol — [r] resp FIt fo] = PI o 


Hence finite-state strategies are represented by f.s. eager functions. In particular, 
a realizer of (Yx? )(3u7)p(u, x) in the sense of Church is a f.s. P-strategy in 


G(y((u)z, x)) (ur, a”) 


Most approaches to Church’s synthesis reduce to Buichi-Landweber Theo- 
rem [7], stating that games with w-regular winning conditions are effectively 
determined, and that the winner always has a finite-state winning strategy. We 
will use Biichi-Landweber Theorem in following form. Note that an O-strategy 
in the game G(y)(u", x”) is a P-strategy in the game G(-y/(u, (x)u)) (a7, u7). 


Theorem 1 ([7]). Let y(u7,2”) be an MSO(M)-formula with only u,x free. 
Then either there is an eager term u(x) of arity (o; T) such that = (Vx)p(u(z), x) 
or there is an eager term x(u) of arity (T; (a)r) such that = (Vu)7y(u, e(x)(u)). 
It is decidable which case holds and the terms are computable from vp. 


Curry-Howard Approaches. Following the complete axiomatization of MSO 
on w-words of [28] (see also [26]), one can axiomatize MSO(M) with a deduction 
system based on arithmetic (see Sect. 4.1). Consider an instance of Church’s 
synthesis (Vxz7)(Su7)y(u, x). Then we get from Theorem 1 the alternative 


Fuson) (Vx)p(e(u)(x), x) or Fesocy (Vu)>e((u)(x(u)), x(u)) (4) 


for an eager term u(x) or a causal term x(u). By enumerating proofs and 
machines, one thus gets a (naive) syntactic algorithm for Church’s synthesis. 
But it seems however unlikely to obtain a complete classical system in which the 
provable V4-statements do correspond to the realizable instances of Church’s 
synthesis, because MSO(M) has true but unrealizable Va-statements. Besides, 
note that 


x £) Fmsom) (V2?)(4u 
(Wul™)?)-p((u)(x(u)), x(u)) Fumsomy (Yu?) 
) Fumsom) (vu?) 


€ 
(3 
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while it is possible both for realizable and unrealizable instances to have 
Fmsom) (V27) (Su7)p(u,z) A (Vu?) (S27)>9((u)a, 2) (5) 


In previous works [25,26], the authors devised intuitionistic and linear vari- 
ants of MSO on w-words in which, thanks to automata-based polarity systems, 
proofs of suitably polarized existential statements correspond exactly to realiz- 
ers for Church’s synthesis. In particular, [26] proposed a system LMSO based 
on (intuitionistic) linear logic [13], such that via a translation (—)’ : MSO = 
LMSO, provable Vi(—)/-statements exactly correspond to realizable instances 
of Church’s synthesis, while (4) exactly corresponds to alternatives of the form 


Hemso (Va")(SuT) [p((u)z, x) |” or FLuMso (vu?) (Ax?) [y((u)z, x)|” (6) 


This paper goes further. We show that the automata-based realizability 
model of [26] can be obtained in a syntactic way, thanks to a (linear) Dialectica- 
like interpretation of a variant of LMSO, which turns a formula ọ to a formula 
p? of the form (Ju)(Vz)pp(u, x), where yp(u, x) essentially represents a deter- 
ministic automaton. While the correctness of the extraction procedure of [25, 26] 
relied on automata-theoretic techniques, we show here that it can be performed 
syntactically. Second, by extending LMSO with realizable axioms, we obtain a 
system LMSO(€) in which, using an adaptation of the usual Characterization 


Theorem for Dialectica stating that Y °° p? (see e.g. [16]), alternatives of the 
form (6) imply that for a closed y, 


Fimsoce) P Or Fimso(e) 2 — L 


where (—) — L is a linear negation. We thus get a complete linear system with 
extraction of suitably polarized Va-statements. Such a system can of course not 
have a standard semantics, and indeed, LMSO(€) has a functional choice axiom 


(va) (y jeleu) — (Af?) (V2?) pla, (f)z) (LAC) 


which is realizable in the sense of both (—)? and [26], but whose translation to 
MSO(M) (which precludes (5)) is false in the standard model. 


3 A Monadic Linear Dialectica-Like Interpretation 


Gédel’s “Dialectica” functional interpretation associates to :p(a) a formula y? (a) 
of the form (Su7)(Vz")yp(u, x,a). In usual versions formulated in higher-types 
arithmetic (see e.g. [1,16]), the formula yp is quantifier-free, so that y? is a 
prenex form of y. This prenex form is constructive, and a constructive proof of 
y can be turned to a proof of p? with an explicit (closed) witness for Ju. We call 
such witnesses realizers of p. Even if Dialectica originally interprets intuitionistic 
arithmetic, it is structurally linear: in general, realizers of contraction 


pla) — yla)^ yla) 
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phr pay Pop to PEP p de 
— ara i aoe is a ae 
pry P, pH p, Y P, Y p bE p PEP, ppp 
CA P, po, p1 F P PE p,p PHY Y P,p F Y 
BIrFe FI Bpeary Pdr pave we PE pp 
ore Bete pv? Brongn Gree Bwkv 
iF @F1,¢ BP eRpr pip Pr po? pi, p P, pp — pH pee 
Bete PH elt r] peltre] p Gry 
P, (327) H P pF (Az)y, p' P, (WaT) pk p Br (vz7)p 


Fig. 2. Deduction for MF (where z” is fresh). 


only exist when the term language can decide yp(u,x,a), which is possible in 
arithmetic but not in all settings. Besides, linear versions of Dialectica were 
formulated at the very beginning of linear logic [21-23] (see also [14,27]). 

In this paper, we use a variant of Dialectica as a syntactic formulation of the 
automata-based realizability model of [26]. The formula yp essentially repre- 
sents a deterministic automaton on w-words and is in general not quantifier-free. 
Moreover, we extract f.s. causal functions, while the category M is not closed. 
As a result, a realizer of y is an open (eager) term u(x) of arity (o; T) satisfying 
pp(u(x),2). While it is possible to exhibit realizers for contraction on closed 
y thanks to the Biichi-Landweber Theorem, this is generally not the case for 
open y(a). We therefore resort to working in a linear system, in which we obtain 
witnesses for Vi(—)-statements (and thus for realizable instances of Church’s 
synthesis), but not for all Vi-statements. 

Fix a set of atomic formulae At containing all (t7 = u7), and a standard 
interpretation extending Sect. 2 for each a € At. 


3.1 The Multiplicative Fragment 


Our linear system is based on full intuitionistic linear logic (see [15]). The for- 
mulae of the multiplicative fragment MF are given by the grammar: 


py :=I|L|a|py—=y| ep | e®y | Grp | (V2) 
(where a € At). Deduction is given by the rules of Fig. 2 and the axioms 


[t] = w] 


Prem Sw yee FPEF 


Each formula y of MF can be mapped to a classical formula |y| (where I, —, 
@, 7? are replaced resp. by T,->,/A,V). Hence |y| holds whenever F y 

The Dialectica interpretation of MF is the usual one rewritten with the con- 
nectives of MF, but for the disjunction 7? that we treat similarly as ®. To each 
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(p@v)?(a) = Alu, v)V(z,y). (P8 Y)pllu, v) (zya) = 
Ilu, v)V(x,y). pplu, x,a) ppo(v,y,a 
(p2 Y)? (a) = Ifu,v)Y(z, y). (P2 Y)p((u, v), (x,y) a) = 


A(u, v)V(x,y). pplu, x,a)? Yp(v,y,a 
(p =o Y)” (a) = Af, Fy (u, y). (p = bof, F), (u,y),@) = 


X(f, FY (u, y). pp(u, (F)uy, a) =o vo((f)u, ya 
(w.p)? (a) := lu, w)Yz. (Bw.p)p((u, w), x,a) := J(u, w)}Yz. pp(u, z, (a, w)) 


(Vw.y)? (a) = fV(a, w). (vw.p)p(f, (z, w), a) = AfV(z, w). gp((f)w, zx, (a, w) 


Fig. 3. The Dialectica Interpretation of MF (where types are leaved implicit). 


formula y(a) with only a free, we associate a formula p? (a) with only a free, 
as well as a formula yp with possibly other free variables. For atomic formulae 
we let y? (a) := yp(a) := y(a). The inductive cases are given on Fig.3, where 
p” (a) = (Ju)(V2)yp(u, x, a) and Y? (a) = (Av)(Vy)bd(v, y, a). 

Dialectica is such that y? is equivalent to y via possibly non-intuitionistic 
but constructive principles. The tricky connectives are implication and uni- 
versal quantification. Similarly as in the intuitionistic case (see e.g. [1,16,33]), 
(p — W)? is prenex a form of gy? — y? obtained using (LAC) together with 
linear variants of the Markov and Independence of premises principles. In our 


case, the equivalence Y °° P? also requires additional axioms for ® and 7%. We 
give details for the full system in Sect. 3.3. 

The soundness of (—)? goes as usual, excepted that we extract open eager 
terms: from a proof of y(a”) we extract a realizer of (Va)y(a), that is an open 
eager term u(x, a) s.t. - pp(@(u(z, a), a), x, a). Composition of realizers (in part. 
required for the cut rule) is given by the fixpoints of Proposition 3. Note that a 
realizer of a closed y is a finite-state winning P-strategy in G(|yp|)(u, x). 


3.2 Polarized Exponentials 
It is well-known that the structure of Dialectica is linear, as it makes problematic 
the interpretation of contraction: 
pla) —° vla)@yla) and = (a) ¥y(a) — pla) 
In our case, the Btichi-Landweber Theorem implies that all closed instances of 


contraction have realizers which are correct in the standard model. But this is 
in general not true for open instances. 


Example 3. Realizers of y — y ® ọ for a closed y are given by eager terms 
Ui (u, £1, £2), U2(u, £1, £2), X(u, £1, £2) which must represent P-strategies in the 
game G(®)((U;, U2, X), (u, x1, £2)), where ® is 


lep(u,(X)uaiae)| —>  [ppo((Ui)u,21)| A lep((U2)u, x2) 
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By the Büchi-Landweber Theorem 1, either there is an eager term U(x) such 
that |pp(U(x), x)| holds, so that 


[pplu zı)] — [yple(U)(z1),x1)] A [pp(e(U)(z2), v2) 
or there is an eager term X(u) such that | yp(u, e(X)(u))| holds, so that 


lep(u,e(X)(u))| — lyp(u,zı)] ^A lep(u, x2) 


Example 4. Consider the open formula y(a°) := (Vx°)(t(z,a) = 0”) where 
[t](B, C) = 0"*'1* for the first n € N with C(n+1) = B(0) if such n exists, and 
such that [t](B,C) = 0% otherwise. The game induced by ((Va)(p — ẹ 8 ¥))p 
is G(®)(X, (x1, 41, a)), where @ is 


t((X)z1%2a,a)=0" —> t(a1,a)=0"% A t(a2,a) = 0° 


In this game, P begins by playing a function 2° — 2, O replies in 2°, and then 
P and O keep on alternatively playing moves of the expected type. A finite-state 
winning strategy for O is easy to find. Let P begin with the function X. Fix some 
a € 2 and let i := X(0,1,a). O replies (0,1,a) to X. The further moves of P 
are irrelevant, and O keeps on playing (—, —,1 — i) (the values of xı and z2 are 
irrelevant after the first round). This strategy ensures 


t((X)ax2a,a)=0"° A A7A(t(ay,a)=0" A t(x2,a) = 0”) 


Hence we can not realize contraction while remaining correct w.r.t. the 
standard model. On the other hand, Dialectica induces polarities generaliz- 
ing the usual polarities of linear logic (see e.g. [17]). Say that y(a) is posi- 
tive (resp. negative) if y?” (a) is of the form y?” (a) = (Ju7)yp(u,—, a) (resp. 
yp? (a) = (Vx?) yp(—, x,a)). Quantifier-free formulae are thus both positive and 
negative. 


— 


Example 5. Polarized contraction 


pt — yt @yt and wh Vy —ew (wt positive, YT negative) 


gives realizers of all instances of itself. Indeed, with say y?” (a) = (Su)yp(u, —, a) 
and Y? (a) = (Vy)Wp(-, y, a), A(1) (for mı a M-projection on suitable types) 
gives eager terms U(u, a) and Y(y, a) such that 
pplu, —,a) ==9 (ep (e(U)(u, a), —,a) ® YD (e(U)(u, a), -,a)) 
and (vo(-,eW),a), a) 7 Yp(—,elY)(y,a), a)) = wvo(-,y, a) 


We only have exponentials for polarized formulae. First, following the usual 
polarities of linear logic, we can let 


(pt))?(a) = (u)((e"))p(u,—,a) = (Bu)lep(u, -, a) ( 
CT)” (a) (Wy) )) oya) (Va) ?p(—, y, a) 


oo 
we 


li 
i 
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pee Do lok perp IDE p, Mb AAA 
ATIR TATA ply Ey DE Np, Pap PE lp — p, Mp 

vee Dk 2p, 29,8 PE p,p p,p F Mp ARA 
=r = = = a = — — = = 
ph 2p, wh %p,~ PE 2p, Y 1P, 2p F Py Pr (Wz)yp, ?h 


Fig. 4. Exponential rules of PF. 


Hence !y is positive for a positive y and ?w is negative for a negative w. The 
following exponential contraction axioms are then interpreted by themselves: 


(pT) — gpt) and AY) ) — (4) 


Second, we can have exponentials !(7~) and ?(p*) with the automata-based 
reading of [26]. Positive formulae are seen as non-deterministic automata, and 
?(—) on positive formulae is determinization on w-words (McNaughton’s Theo- 
rem [19]). Negative formulae are seen as universal automata, and !(—) on negative 
formulae is co-determinization (an instance of the Simulation Theorem [10,20]). 
Formulae which are both positive and negative (notation (—)*) correspond to 
deterministic automata, and are called deterministic. We let 


: . (ev) p(-,-, 4) = (Var )p(—, x,a) (9) 
(+)? (a) = (t) =a) = 2(au)yp(u, -, 4) 


So !(Y7) and ?(y*) are always deterministic. The corresponding exponential 
contraction axioms are interpreted by themselves. This leads to the following 
polarized fragment PF (the deduction rules for exponentials are given on Fig. 4): 


c 

ae 
G 
II 


p= yE u= I| La] o) |t) | 58y | pt RvR | pE — yt 
gt wt u= p= | yet) | Gryt | pt&yT | ot But | ow — yt 
gv n= yt | Up) | Wee |e @y | BY | pt — y 


3.3 The Full System 


The formulae of the full system FS are given by the following grammar: 
ev = ele |e—P| ved | ey | Grp | (WaT )p 


Deduction in FS is given by Figs. 2, 4 and (7). We extend |—| to FS with |!y] := 
|?~] := |y]. Hence |p] holds when F ¢ is derivable. The Dialectica interpreta- 
tion of FS is given by Fig. 3 and (8), (9) (still taking y?” (a) := yp(a) := (a) 
for atoms). Note that (—)? preserves and reflects polarities. 


Theorem 2 (Soundness). Let y be closed with p? = (SuT)(Vr7)yp(u, x). 
From a proof of p in FS one can extract an eager term u(x) such that FS proves 
(Va? )pp(u(x), x). 
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As usual, proving ¥ °° p? requires extra axioms. Besides (LAC), we use the 
following (linear) semi-intuitionistic principles (LSIP), with polarities as shown: 


(Va)(p (a) 8Y) —e (Va) (a ae 
(Va)(p" (a) PY) —e (Va)p (a)? 
(Sa) (a) 3Y —e (3a)(p" (a ee (LSIP) 
(po — (Ga) (a)) — (a)y a 
((Va)p= (a) = Y) —e ENG A 


as well as the following deterministic exponential axioms (DEXP): 
ô — !6 and 26 — 6 (6 deterministic) 
All these axioms but (LAC) are true in the standard model (via |—]|). Moreover: 


Proposition 4. The arioms (LAC) and (LSIP) are realized in FS. The axioms 
(DEXP) are realized in FS + (DEXP). 


Theorem 3 (Characterization). We have 


ES+(LAC)+(LSIP)+(DExP) (a) o (a) (p FS-formula) 
Fes+(LsiP)+(DExP) (a) > (a) (p PF-formula) 


Corollary 1 (Extraction). Consider a closed formula yp := (Vx?) (Su )d(u, x) 
with ô deterministic. From a proof of p in FS + (LAC) + (LSIP) + (DEXP) one 
can extract a term t(x) such that — (Yx?) | (t(x), x)]. 


Note that FS + (DEXP) proves ô °? (6 — L) for all deterministic ô. 


3.4 Translations of Classical Logic 

There are many translations from classical to linear logic. Two canonical possi- 
bilities are the (—)” and (—)®-translation of [9] (see also [17,18]) targeting resp. 
negative and positive formulae. Both take classical sequents to linear sequents 
of the form !(—) F ?(—), which are provable in FS thanks to the PF rules 


P, lyk p, pb BE yb 

Pile — p, pb P F (Wz)p, 2b 
For the completeness of LMSO(€) (Theorem 6, Sect. 4), we shall actually require 
a translation (—)” such that the linear equivalences (with polarities as displayed) 


Ppt oo [yt |” E oo [5* |” yr oe [yr |” (10) 


are provable possibly with extra axioms that we require to realize themselves. In 
part., (10) implies (DEXP), and (—)” should give deterministic formulae. While 
(—)" and (—)® can be adapted accordingly, (10) induces axioms which make the 
resulting translations equivalent to the deterministic (—)’-translation of [26]: 


482 P. Pradic and C. Riba 


eel Teel eeu (yvy) He ae Gre) =7G a)" 
(p> p)” = py (Pnp = OY (Va7.p)” = (Va? )p” 


Proposition 5. The scheme (10) is equivalent in FS to (DEXP)+(PEXP), where 
(PEXP) are the following polarized exponential axioms, with polarities as shown: 


(pt) — yt) 2T) — (47) 
(pT) — ?(Yt) — te — y?) (pt) — (Y7) — (pt — y7) 
2(pt) 8Y) — (yt gyt) (PDY) — Wp") 8y) 
2(pt) PYT) — (pt3 yt) p~ Bp-) — (p7)? !y) 


Proposition 6. [fy is provable in many-sorted classical logic with equality then 
FS + (DEXP) proves y+}. 


Proposition 7. The axioms (PEXP) are realized in FS + (LSIP) + (DEXP) + 
(PEXP). Corollary 1 thus extends to FS + (LAC) + (LSIP) + (DEXP) + (PEXP). 


Note that p% is deterministic and that |y”| = ¢. 


4 Completeness 


In Sect. 3 we devised a Dialectica-like (—)? providing a syntactic extraction pro- 
cedure for Vi(—)"-statements. In this Section, building on an axiomatic treat- 
ment of MSO(M), we show that LMSO, an arithmetic extension of FS+(LSIP) + 
(DEXP)+(PEXP) adapted from [26], is correct and complete w.r.t. Church’s syn- 
thesis, in the sense that the provable Va(—)*-statements are exactly the realiz- 
able ones. We then turn to the main result of this paper, namely the completeness 
of LMSO(€) := LMSO + (LAC). We fix the set of atomic formulae 


aEAt u= eu" |t? Cu | E(t°) | Ne?) | S(t°,u?) | Oe) | t? <u? 


4.1 The Logic MSO(M) 


MSO(M) is many-sorted first-order logic with atomic formulae a € At. Its sorts 
and terms are those given in Sect.2, and standard interpretation extends that 
of Sect. 2 as follows: C is set inclusion, E holds on B iff B is empty, N (resp. 0) 
holds on B iff B is a singleton {n} (resp. the singleton {0}), and S(B, C) (resp. 
B < C) holds iff B = {n} and C = {n +1} for some n € N (resp. B = {n} 
and C = {m} for some n < m). We write x’ for variables x° relativized to N, so 
that (3z*)y and (Vx"')p stand resp. for (3x°)(N(x) A p) and (Vx°)(N(x) — 4). 
Moreover, x’ È t stands for x’ Č t, so that t° C u? is equivalent to (Vx')(x È 
tore a): 

The logic MSO* [26] is MSO(M) restricted to the type o, hence with only 
terms for Mealy machines of sort (2,...,2;2). The MSO of [26] is the purely 
relational (term-free) restriction of MSO*. Recall from [26, Prop. 2.6], that for 
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peteC2zp GzCtbE(z),2z=t,p G,N(z),z2CthzCuge 
E(t)ktCu GFE(t),¢" PF N(t), E(t), p’ ertcue N(t), E(t) F 


ttt tCuuCvlitCv tCuuCtrt=u N(t)uCtrE(u)utt S(t,u),0(u) F 


N(t)Ft<t t<uu<vlt<v t<uu<tht=u S(t,u) Ftu 0(t)F N(t) 


AOA , i i 
Gre S(u,v),t<vFt=vj,t<u t<ubN(t) t<ubN(u) S(t,u)F N(t) 
P, S(t, z) Fe 
Gre O(t),O(u)Ft =u S(t,u),S(t,v) Fu=v_  S(u,t),S(v,t) F u=v  S(t,u) F N(u) 


Fig. 5. The Arithmetic Rules of MSO(M) and LMSO (with terms of sort o and z fresh). 


each Mealy machine M : 2? — 2, there is an MSO-formula 6,4(X, x) such that 
for all n € N and all B € (2”)?, we have Fyy(B)(n) = 1 iff dys ({n}, B) holds. 

The axioms of MSO(M) are the arithmetic rules of Fig. 5, the axioms (7) and 
the following, where M : 2? — 2 and y,z,X are fresh. 


E (VX°) (Vat) (x € £u(X) = mlz, X)) F (4X°) (Va!) (rE X © p) 


P: 0(2) F plz/2], P P, Sly, 2), ply/z] E plz/2];, p 
pE (vr)p, p 
The theory MSO(M) is complete. Thus provability in MSO(M) and validity 
in the standard model coincide. This extends [26, Thm. 2.11 (via [28])]. 


Theorem 4 (Completeness of MSO(M)). For closed MSO(M)-formulae y, 
we have = ọ if and only if Fmso(m) ¥- 


4.2 The Logic LMSO 
The system LMSO is FS + (LSIP) + (DEXP) + (PEXP) extended with Fig. 5 and 
IXJ Vre EX a 5) 


~ 


L (VX°)(Wa') (x è f(X) oo klz, X)) F? 


1P, 0(2) E o [z/x], 2P P, Sy, 2) tp [w/a] E o [e/a], 07 
tp E (Vat)p~, 2p" 
Let LMSO(€) := LMSO + (LAC). Note that Fmsoqm) Ly] whenever Fimso ¢. 
Proposition 6 extends so that similarly as in [26] we have 


Proposition 8. IfFmsoqm) ¥ then Fimso p}. In part., for a realizable instance 
of Church’s synthesis (Vx7)(SuT)p(u, x), we have imso (Yx°) (Bu )p} (u, £). 


Moreover, the soundness of (—)? extends to LMSO. It follows that LMSO(¢) is 
coherent and proves exactly the realizable VA(—)’-statements. 
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Theorem 5 (Soundness). Let y be closed with p? = (SuT)(Vr7)yp(u, x). 
From a proof of p in LMSO(€) one can extract an eager term u(x) such that 
LMSO proves (Vx) yp(u(x), x). 


Corollary 2 (Extraction). Consider a closed formula p := (Yx7)(3u7) 
d(u,x) with 6 deterministic. From a proof of p in LMSO(€) one can extract 
a term t(x) such that = (Vx7)|6(t(a), x) |. 


4.3 Completeness of LMSO(¢€) 


The completeness of LMSO(€) follows from a couple of important facts. First, 
LMSO(€) proves the elimination of linear double negation, using (via Theorem 3) 
the same trick as in [26]. 


Lemma 1. For all LMSO-formula p, we have (p — L) — L Fiusove) Y- 
Combining Lemma 1 with (LAC) gives classical linear choice. 
Corollary 3. (Vf)(4r)9(2, (f)”) Fimsoce) (Sx) (Vy) (a, y). 


The key to the completeness of LMSO(€) is the following quantifier inversion. 


Lemma 2. (Vx")p(t7 (x), ©) Fimsocey (Su7)(Vr7)y(u, x), where t(x) is eager. 


Lemma 2 follows (via Corollary 3) from the fixpoints on eager machines (Proposi- 
tion 3). Fix an eager t7 (x7). Taking the fixpoint of [(f)t(x)] : [o] x [(c)T] >rm 
[oJ"71 gives a term v7(f()7) such that v(f) + @(f,t(v(f))). Then conclude 
with 


(Vx7)p(t(x),r) Fimso  y(t(v(f)), v(f)) 
Kimso plt), OC, t(v(F)))) 
T™LMSO (3u? p(u,( )u) 
LMSO (VF) uT) y(u, (f)u) 
Fimsoce) (du7)(V27)p(u, £) 


Completeness of LMSO(€) then follows via (—)?, Proposition 5, completeness of 
MSO(M) and Biichi-Landweber Theorem 1. The idea is to lift a f.s. winning 
P-strat. in G(|yp(u,z)|)(u,x) to a realizer of yP? = (Ju)(Vz)pp(u,x) in 
LMSO(€). 


Theorem 6 (Completeness of LMSO(€)). For each closed formula vy, either 
Fiuso(e) Y or Fiusoce) Y — L. 
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5 Conclusion 


We provided a linear Dialectica-like interpretation of LMSO(€), a linear vari- 
ant of MSO on w-words based on [26]. Our interpretation is correct and com- 
plete w.r.t. Church’s synthesis, in the sense that it proves exactly the realiz- 
able VA(—)"-statements. We thus obtain a syntactic extraction procedure with 
correctness proof internalized in LMSO(€). The system LMSO(€) is moreover 
complete in the sense that for every closed formula y, it proves either y or its 
linear negation. While completeness for a linear logic necessarily collapse some 
linear structure, the corresponding axioms (DEXP) and (PEXP) do respect the 
structural constraints allowing for realizer extraction from proofs. The complete- 
ness of LMSO(€) contrasts with that of the classical system MSO(M), since the 
latter has provable unrealizable Vi-statements. In particular, proof search in 
LMSO(¢) for Va(—)-formulae and their negation is correct and complete w.r.t. 
Church’s synthesis. The design of the Dialectica interpretation also clarified the 
linear structure of LMSO, as it allowed us to decompose it starting from a system 
based on usual full intuitionistic linear logic (see e.g. [3] for recent references on 
the subject). 

An outcome of witness extraction for LMSO(€) is the realization of a simple 
version of the fan rule (in the usual sense of e.g. [16]). We plan to investigate 
monotone variants of Dialectica for our setting. Thanks to the compactness 
of X”, we expect this to allow extraction of uniform bounds, possibly with 
translations to stronger constructive logics than LMSO. 
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Abstract. In 1982, Courcelle and Franchi-Zannettacci showed that the 
equivalence problem of separated non-nested attribute systems can be 
reduced to the equivalence problem of total deterministic separated basic 
macro tree transducers. They also gave a procedure for deciding equiv- 
alence of transducer in the latter class. Here, we reconsider this equiv- 
alence problem. We present a new alternative decision procedure and 
prove that it runs in polynomial time. We also consider extensions of 
this result to partial transducers and to the case where parameters of 
transducers accumulate strings instead of trees. 


1 Introduction 


Attribute grammars are a well-established formalism for realizing computations 
on syntax trees [20,21], and implementations are available for various program- 
ming languages, see, e.g. [12,28,29]. A fundamental question for any such speci- 
fication formalism is whether two specifications are semantically equivalent. As a 
particular case, attribute grammars have been considered which compute unin- 
terpreted trees. Such devices that translate input trees (viz. the parse trees of 
a context-free grammar) into output trees, have also been studied under the 
name “attributed tree transducer” [14] (see also [15]). In 1982, Courcelle and 
Franchi-Zannettacci showed that the equivalence problem for (strongly noncir- 
cular) attribute systems reduces to the equivalence problem for primitive recur- 
sive schemes with parameters [3]; the latter model is also known under the name 
macro tree transducer [9]. Whether or not equivalence of attributed tree trans- 
ducers (ATTs) or of (deterministic) macro tree transducers (MTTs) is decidable 
remain two intriguing (and very difficult) open problems. 

For several subclasses of ATTs it has been proven that equivalence is decid- 
able. The most general and very recent result that covers almost all other known 
ones about deterministic tree transducers is that “deterministic top-down tree- 
to-string transducers” have decidable equivalence [27]. Notice that the complex- 
ity of this problem remains unknown (the decidability is proved via two semi- 
decision procedures). The only result concerning deterministic tree transducers 
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that we are aware of and that is not covered by this general result, is the one 
by Courcelle and Franchi-Zannettacci about decidability of equivalence of “sepa- 
rated non-nested” ATTs (which they reduce to the same problem for “separated 
non-nested” MTTs). However, in their paper no statement is given concerning 
the complexity of the problem. In this paper we close this gap and study the 
complexity of deciding equivalence of separated non-nested MTTs. To do so we 
propose a new approach that we feel is simpler and easier to understand than 
the one of [3]. Using our approach we can prove that the problem can be solved 
in polynomial time. 


g + 
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a an 
f 0 ye * * 
~ j t NOS 
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Fig. 1. Input tree for 2101.01 (in ternary) and corresponding output tree of Mtern. 


In a separated non-nested attribute system, distinct sets of operators are 
used for the construction of inherited and synthesized attributes, respectively, 
and inherited attributes may depend on inherited attributes only. Courcelle and 
Franchi-Zannettacci’s algorithm first translates separated non-nested attribute 
grammars into separated total deterministic non-nested macro tree transducers. 
In the sequel we will use the more established term basic macro-tree transducers 
instead of non-nested MTTs. Here, a macro tree transducer is called separated 
if the alphabets used for the construction of parameter values and outside of 
parameter positions are disjoint. And the MTT is basic if there is no nesting 
of state calls, i.e., there are no state calls inside of parameter positions. Let us 
consider an example. We want to translate ternary numbers into expressions 
over +, *, EXP, plus the constants 0, 1, and 2. Additionally, operators s, p, 
and z are used to represent integers in unary. The ternary numbers are parsed 
into particular binary trees; e.g., the left of Fig. 1 shows the binary tree for the 
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go(g(x1,%2)) — +(4(x1, z), q' (x2, p(z))) 
a (x1, £2), y) = F (r(z2, y) q Gns (y ))) 
q'(f (x1, x2), y) > 4 H(r (x1, y) q ‘(x2, p(y))) 
A y) — x«(i,EXP(3,y)) for i€ {0,1,2},¢ € {q,q',r} 


Fig. 2. Rules of the transducer Mtern. 


number 2101.02. This tree is translated by our MTT into the tree in the right of 
Fig. 1 (which indeed evaluates to 64.2 in decimal). The rules of our transducer 
Myern are shown in Fig. 2. The example is similar to the one used by Knuth [20] 
in order to introduce attribute grammars. The transducer is indeed basic and 
separated: the operators p, s, and z are only used in parameter positions. 

Our polynomial time decision procedure works in two phases: first, the trans- 
ducer is converted into an “earliest” normal form. In this form, output symbols 
that are not produced within parameter positions are produced as early as pos- 
sible. In particular it means that the root output symbols of the right-hand 
sides of rules for one state must differ. For instance, our transducer Mtern is 
not earliest, because all three r-rules produce the same output root symbol 
(x). Intuitively, this symbol should be produced earlier, e.g., at the place when 
the state r is called. The earliest form is a common technique used for normal 
forms and equivalence testing of different kinds of tree transducers [8, 13,22]. We 
show that equivalent states of a transducer in this earliest form produce their 
state-output exactly in the same way. This means especially that the output of 
parameters is produced in the same places. It is therefore left to check, in the 
second phase, that also these parameter outputs are equivalent. To this end, 
we build an equivalence relation on states of earliest transducers that combines 
the two equivalence tests described before. Technically speaking, the equivalence 
relation is tested by constructing sets of Herbrand equalities. From these equal- 
ities, a fixed point algorithm can, after polynomially many iterations, produce a 
stable set of equalities. 

The proofs of Lemmata 1 and 2 can be found in the appendix of an extended 
version at http://arxiv.org/abs/1902.03858. 


2 Separated Basic Macro Tree Transducers 


Let X be a ranked alphabet, i.e., every symbol of the finite set X has associated 
with it a fixed rank k € N. Generally, we assume that the input alphabet X is 
non-trivial, i.e., X has cardinality at least 2, and contains at least one symbol 
of rank 0 and at least one symbol of rank > 0. The set Ty is the set of all 
(finite, ordered, rooted) trees over the alphabet X. We denote a tree as a string 
over X and parenthesis and commas, i.e., f(a, f(a,b)) is a tree over X, where 
f is of rank 2 and a,b are of rank zero. We use Dewey dotted decimal notation 
to refer to a node of a tree: The root node is denoted £, and for a node u, its 
i-th child is denoted by u.i. For instance, in the tree f(a, f(a, b)) the b-node is at 
position 2.2. A pattern (or k-pattern) (over A) is a tree p € Taust} over a ranked 
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alphabet A and a disjoint symbol T (with exactly k occurrences of the symbol 
T). The occurrences of the dedicated symbol T serve as place holders for other 
patterns. Assume that p is a k-pattern and that p,,...,p, are patterns; then 
p|p1,---;Pk] denotes the pattern obtained from p by replacing, for i = 1,...,k, 
the i-th occurrence (from left-to-right) of T by the pattern p;. 

A macro tree transducer (MTT) M is a tuple (Q, X, A, ô) where Q is a 
ranked alphabet of states, X and A are the ranked input and output alphabets, 
respectively, and 6 is a finite set of rules of the form: 


q(f (£1, -3 8k) Yy) > T (1) 
where q € Q is a state of rank l+ 1, l > 0, f € X is an input symbol of rank 
k > 0, z1,..., £k and yı,..., yı are the formal input and output parameters, 


respectively, and T is a tree built up according to the following grammar: 
Tas a(Th, see Tan) | q' (xi, Th, see Tha) | Yj 


for output symbols a € A of rank m > 0 and states q’ € Q of rank n + 1, input 
parameter x; with 1 < i < k, and output parameter y; with 1 < j < l. For sim- 
plicity, we assume that all states q have the same number l of parameters. Our 
definition of an MTT does not contain an initial state. We therefore consider 
an MTT always together with an axiom A = p[qi(21,71),---;@m(21, Im)] where 
Ti,---,Im € T4 are vectors of output trees (of length l each). Sometimes we 
only use an MTT M without explicitly mentioning an axiom A, then some A is 
assumed implicitly. Intuitively, the state q of an MTT corresponds to a function 
in a functional language which is defined through pattern matching over its first 
argument, and which constructs tree output using tree top-concatenation only; 
the second to (l+ 1)-th arguments of state q are its accumulating output param- 
eters. The output produced by a state for a given input tree is determined by 
the right-hand side T of a rule of the transducer which matches the root symbol 
f of the current input tree. This right-hand side is built up from accumulating 
output parameters and calls to states for subtrees of the input and applications 
of output symbols from A. In general MTTs are nondeterministic and only par- 
tially defined. Here, however, we concentrate on total deterministic transducers. 
The MTT M is deterministic, if for every (q, f) E Q x X there is at most one 
rule of the form (1). The MTT M is total, if for every (q, f) E€ Q x X there is at 
least one rule of the form (1). For total deterministic transducers, the semantics 
of a state q € Q with the rule q(f(x1,...,2%), y1,---,;y)  T can be considered 
as a function 
[a] : Ts x Th > Ta 


which inductively is defined by: 


lal(f(ti,---,te),S) = [T] ti,- -o te) S 


where 
la(Ti,.. -Tmt S = a((Tits,..., [Ln] tS) 
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[yJtS = 9; 
la (zi Ti,- TES = [a], [i]t S,..., [0] £3) 


where S = (S1,..., 9S1) € T} is a vector of output trees. The semantics of a pair 
(M,A) with MTT M and axiom A = p|qı (x1, Tı), ---,qm(£1, Tm)] is defined 
by [(M, A)](¢) = plia], 2), ---, {aml (t,Tm)}- Two pairs (Mi, A1), (M2, A2) 
consisting of MTTs Mı, M2 and corresponding axioms A;, A> are equivalent, 
(Mı, A1) = (M2, A2), iff for all input trees t € Ty, and parameter values T € 
Tio (Mi, Ar), T) = [(M2, Aa) I(t, T). 

The MTT M is basic, if each argument tree T; of a subtree q'(a;,T1,..., Tn) 
of right-hand sides T of rules (1) may not contain further occurrences of states, 
i.e., isin Tauy. The MTT M is separated basic, if M is basic, and A is the disjoint 
union of ranked alphabets Aout and Aj, so that the argument trees T} of subtrees 
q' (£i, Ti;,..., Tn) are in Ta, uy, while the output symbols a outside of such 
subtrees are from Aout. The same must hold for the axiom. Thus, letters directly 
produced by a state call are in Aout while letters produced in the parameters are 
in Aj,. The MTT Mtern from the Introduction is separated basic with Aout = 
{0,1,2,3,*,+,EXP} and Aj, = {p, s, z}. 

As separated basic MTTs are in the focus of our interests, we make the 
grammar for their right-hand side trees T explicit: 


T :=a(Th,...,Im) | yj | (£i, Ti,---, Th) 
T" DC ec a! | he 


where a E€ Aout, J E Q, b € Ain of ranks m,n + 1 and m’, respec- 
tively, and p is an n-pattern over A. For separated basic MTTs only axioms 
A = plq (x1, T1), -.-,qm(£1,Tm)] with Ti, ..., Tm € Than are considered. 

Note that equivalence of nondeterministic transducers is undecidable (even 
already for very small subclasses of transductions [18]). Therefore, we assume 
for the rest of the paper that all MTTs are deterministic and separated basic. 
We will also assume that all MTTs are total, with the exception of Sect. 5 where 
we also consider partial MTTs. 


Example 1. We reconsider the example from the Introduction and adjust it to 
our formal definition. The transducer was given without an axiom (but with a 
tacitly assumed “start state” qo). Let us now remove the state go and add the 
axiom A = q(x, z). The new q rule for g is: 


q(9(x1,22),y) > +(4(x1,y), q' (x2, p(y))). 
To make the transducer total, we add for state q’ the rule 
qd‘ (9(41, £2), y) = +(*(0, EXP(3, y)), *(0, EXP(3, y))). 


For state r we add rules q(a(x1, £2), y) > *(0, EXP (3, y)) witha = f, g. The MTT 
is separated basic with Aout = {0, 1, 2,3, x, +, EXP } and Ain = {p, s, z}. 
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We restricted ourselves to total separated basic MTTs. However, we would 
like to be able to decide equivalence for partial transducers as well. For this reason 
we define now top-down tree automata, and will then decide equivalence of MTTs 
relative to some given DTA D. A deterministic top-down tree automaton (DTA) 
D isa tuple (B, X, bo, dp) where B is a finite set of states, X is a ranked alphabet 
of input symbols, bọ € B is the initial state, and dp is the partial transition 
function with rules of the form b(f(@1,...,2%)) — (bı(x£1),...,bk(£k)), where 
b,by,...,b, E B and f € X of rank k. W.1.0.g. we always assume that all states 
b of a DTA are productive, i.e., dom(b) 4 Ø. If we consider a MTT M relative 
to a DTA D we implicitly assume a mapping 7 : Q — B, that maps each state 
of M to a state of D, then we consider for q only input trees in dom(z(q)). 


3 Top-Down Normalization of Transducers 


In this section we show that each total deterministic basic separated MTT can 
be put into an “earliest” normal form relative to a fixed DTA D. Intuitively, 
state output (in Aout) is produced as early as possible for a transducer in the 
normal form. It can then be shown that two equivalent transducers in normal 
form produce their state output in exactly the same way. 

Recall the definition of patterns as trees over Tau,7}- Substitution of T- 
symbols by other patterns induces a partial ordering E over patterns by p E p' 
if and only if p = p'[p1,..., Pm] for some patterns p1, . . . , Pm. W.r.t. this ordering, 
T is the largest element, while all patterns without occurrences of T are minimal. 
By adding an artificial least element L, the resulting partial ordering is in fact 
a complete lattice. Let us denote this complete lattice by Py. 

Let A = Ain U out. For T € Tauy, we define the Aout-prefix as the pattern 
P € Ta,,,,u{T} as follows. Assume that T = a(T1,...,Tm). 


— Ifa € Aout, then p = a(pi,...,Pm) where for j = 1,...,m, pj is the Aout- 
prefix of T}. 
— Ifa E€ Am UY, then p=T. 


By this definition, each tree t € Tauy can be uniquely decomposed into a Aout- 
prefix p and subtrees t1,...,¢m whose root symbols all are contained in Ain UY 
such that t = plti, ..., tml. 

Let M be a total separated basic MTT M, D be a given DTA. We define the 
Aout-prefix of a state q of M relative to D as the minimal pattern p € TA uU{T} 
so that each tree [q] (t, T), t € dom(x(q)), T € Th, is of the form p[T),..., Tm] for 
some sequence of subtrees T}, ..., Tm € Ta. Let us denote this unique pattern p 
by pref, (q). If g(f,y1,---,;y) — T is a rule of a separated basic MTT and there 
is an input tree f(t1,...,t) € dom(7(q)) then |pref,(q)| < |T]. 


Lemma 1. Let M be a total separated basic MTT and D a given DTA. Let 
t € dom(z(q)) be a smallest input tree of a state q of M. The Aout-prefiz of 
every state q of M relative to D can be computed in time O(|t| - |M]). 
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The proof is similar to the one of [8, Theorem 8] for top-down tree transducers. 
This construction can be carried over as, for the computation of A>,,4-prefixes, 
the precise contents of the output parameters y; can be ignored. 


Example 2. We compute the Aout-prefix of the MTT M from Example 1. We 
consider M relative to the trivial DTA D that consists only of one state b with 
dom(b) = Ts. We therefore omit D in our example. We get the following system 
of in-equations: from the rules of state r we obtain Y, C *(¢, EXP(3, T)) with i € 
{0, 1,2}. From the rules of state q we obtain Y} E +(Y¥q, Yq’), Yg E +(¥;, Yq) and 
Y, E *(i, EXP(3, T)) with i € {0,1,2}. From the rules of state q’ we obtain Yy E 
+(*(0, EXP(3, T)), *(0, EXP(3,T))), Yy E +(Y¥,, Yy) and Yy E *(i, EXP(3, T)) 
with i € {0,1,2}. For the fixpoint iteration we initialize ¥, Y¥{°, ¥! with L 
each. Then YY = «(T,EXP(3,T)) = Y? and Y“ = T, YS) = T. Thus, the 
fixpoint iteration ends after two rounds with the solution pref,(q) = T. 


Let M be a separated basic MTT M and D be a given DTA D. M is called 
D-earliest if for every state q € Q the Aout-prefix with respect to 1(q) is T. 


Lemma 2. For every pair (M, A) consisting of a total separated basic MTT M 
and axiom A and a given DTA D, an equivalent pair (M’, A’) can be constructed 
so that M’ is a total separated basic MTT that is D-earliest. Let t be an output 
tree of (M,A) for a smallest input tree t € dom(z(q)) where q is the state 
occurring in A. Then the construction runs in time O(|t| - (M, AJ). 


The construction follows the same line as the one for the earliest form of 

top-down tree transducer, cf. [8, Theorem 11]. Note that for partial separated 
basic MTTs the size of the Aout-prefixes is at most exponential in the size of the 
transducer. However for total transducer that we consider here the A,,,;-prefixes 
are linear in the size of the transducer and can be computed in quadratic time, 
cf. [8]. 
Corollary 1. For (M,A) consisting of a total deterministic separated basic 
MTT M and aziom A and the trivial DTA D accepting Ts an equivalent pair 
(M’, A’) can be constructed in quadratic time such that M’ is an D-earliest total 
deterministic separated basic MTT. 


Example 3. We construct an equivalent earliest MTT M” for the transducer from 
Example 1. In Example 2 we already computed the Aout-prefixes of states q, q’,7; 
pref (q) = T, pref,(g’) = T and pref,(r) = *(7,EXP(3,T)). As there is only 
one occurrence of symbol T in the Ao,,-prefixes of q and q’ we call states (q, 1) 
and (q’,1) by q and q’, respectively. Hence, a corresponding earliest transducer 
has axiom A = q(x, z). The rules of q and q’ for input symbol g do not change. 
For input symbol f we obtain 


a( f(a, r2),Y) =o +(*(r(x2, y), EXP(3,y)), q(x1, s(y))) and 
q'(f (21, z2), y) =. +(*(r(a1, y), EXP(3, y), q' (x2, p(y))). 


As there is only one occurrence of symbol T related to a recursive call in 


pref (7) we call (r, 1) by r. For state r we obtain new rules r(a(x1, £2), y) — 0 
with a € {f,g} and r(i,y) > i with i € {0,1,2}. 
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We define a family of equivalence relation by induction, S» C ((Q, 7, Än) U 
Ta,,) X ((Q,T4,,) U Ta,,,) with b a state of a given DTA is the intersection of 
the equivalence relations am. i.e., X =, Z if and only if for all h > 0, X ax 
Z. We let (q, T) ="*) (q',T') if for all f € dom(b) with b(f(£1,..., £4) — 
(b1,..-,bk), there is a pattern p such that q(f(£1,..., £k) y) — plti,---,tm] 
and q'(f(x£1,.-., £k) Y) > plti,- - -s tm] with 
— if t; and t; are both recursive calls to the same subtree, i.e., ti = qi(x;,, Ti), 

t; = g(a, Ti) and ji = j, then (qi, Ti)[T/y] =, (ai, THIT y] 

— if ¢; and t; are both recursive calls but on different subtrees, i.e., ti = 
qilty,,T), th = q(xj.,Tj) and ji # Jj, then 3 = [a)(s,T)[LZ/y) = 
[aNs T)IL/y) for some 5 € 2 and (ai, T)(L/y] S ESH (al, TOE 

— if t; and t, are both parameter calls, i.e., t; = yj; and = =y; 1 then Tj, = =T}; 

— if t; is a parameter call and t; a recursive call, i.e., ti = Yj; a t= = olay sT), 
then Tj, S$ (dp TOIT /y'] 


-— T to the latter case) if t; is a recursive call and t; a parameter call, 
ie., ti = (Sj Ti) and ti = yi; then (t, T:)[Z/y] Sy Thr 


We let T =+) (q', T") if for all f € dom(b) with r(f(£1,...,£K)) > (b1,--+5 br), 
(fla), y) >t, 


- if t = yj then T = T; 
- if t' = qi (2i, Ti) then T 24”) (q, TOT" /y']. 


Intuitively, (q,T) =? (q', T”) if for all input trees t € dom(b) of height h, 
lalt, T) = [qg] (t, 2’). Then (q4, T) =, (q', T”) if for all input trees t € dom(b) 
(independent of the height), [q] (t, T) = [g] (t, T^). 


Theorem 1. For a given DTA D with initial state b, let M, M’ be D-earliest 
total deterministic separated basic MTTs with axioms A and A’, respectively. 
Then (M, A) is equivalent to (M’, A’) relative to D, iff there is a pattern p such 
that A = pla(zı, Tı), aca , qm(£1, Ja); and A = plai (z1, Ti), se ,qm(£1, Tn )] 
and for j =1,...,m, (dj, T3) =, (qj, T;), ie., qj and q; are equivalent on the 


values of output parameters T; and Ty: 


Proof. Let A be the output alphabet of M and M’. Assume that (M,A) = 
(M',A'). As M and M’ are earliest, the Aout-prefix of [(M,A)](t) and 
I(M', A^] (t), for t € dom(b) is the same pattern p and therefore A = 
plai (zı, Tı), eae, Qm(x1, Tm)] and A! = plai (z1, Ti), a a isla) To show 
that (qi, Ti) =» (qj, Tj) let u; be the position of the i-th T-node in the pattern p. 
For some t € dom(b) and T € Tx,, let t; and ti; be the subtree of [(M, A)] (t, T) 
and [(M’, A’)](t, T), respectively. Then t; = t; and therefore (qi, Ti) =e (qj, Ti). 
Now, assume that the axioms A = p[qi(x1,T1),-.-,dm(%1,Im)] and A= 
plai (a1, T{),---,%,(21, Th )] consist of the same pattern p and for i =1,...,m 
(qi, Ti) =» (qi, T/). Let t € dom(b) be an input tree then 


Fl 
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[(M, AIH = plan, Ti), Lam] ( 
pilale, Tr) 


(M, A’) O. 


4 Polynomial Time 


In this section we prove the main result of this paper, namely, that for each 
fixed DTA D, equivalence of total deterministic basic separated MTTs (relative 
to D) can be decided in polynomial time. This is achieved by taking as input two 
D-earliest such transducers, and then collecting conditions on the parameters of 
pairs of states of the respective transducers for their produced outputs to be 
equal. 


Example 4. Consider a DTA D with a single state only which accepts all inputs, 
and states q,q’ with 


qla, y1: Y2) > gly) (a, y1: Y2) > G(yd) 


Then q and q’ can only produce identical outputs for the input a (in dom(b)) 
if parameter y% of q’ contains the same output tree as parameter yı of q. This 
precondition can be formalized by the equality y4 = yı. Note that in order to 
distinguish the output parameters of q’ from those of q we have used primed 
copies y; for q’. 


It turns out that conjunctions of equalities such as in Example 4 are sufficient 
for proving equivalence of states. For states q,q’ of total separated basic MTTs 
M, M', respectively, that are both D-earliest for some fixed DTA D, h > 0 and 
some fresh variable z, we define 


h ; 
Y= N \ (z = yj) ^ 
b(fx)— (bi, bk) q(fzy)>yj 
No POEA 


q(fxy) =â T) 


\ L 


a(fz,y)>pl..-] 
p#T 


where L is the boolean value false. We denote the output parameters in wi" (z) 


by y, we define g HE ) in the same lines as MA Mig ) but using y’ for the output 
ane age To substitute the output puestnctes with trees T, T’, we therefore 
use yn) a (© [T/y] and (2 )[T"/y']. Assuming that q is a state of the D-earliest 


ee basic MTT M then A Vz ) is true for all ground parameter values s 
and some T € Tauy if [q](t, s) = T[s/y] for all input trees t € dom(b) of height 
at most h. Note that, since M is D-earliest, T is necessarily in Ta,,uy. W.1.o.g., 
we assume that every state b of D is productive, i.e., dom(b) Æ Ø. For each 
state b of D, we therefore may choose some input tree tẹ E€ dom(b) of minimal 
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depth. We define sp, to be the output of q for a minimal input tree t, E€ dom(b) 
and parameter values y—when considering formal output parameters as output 
symbols in Ain, i-e., Seq = [a] (tr, y). 


Example 5. We consider again the trivial DTA D with only one state b that 
accepts all t € Ty. Thus, we may choose ty = a. For a state q with the following 


two rules qla, Yi, y2) > y1 and a( f(x), Yi, y2) ae q(x, h(y2), b), we have Sb,q = Y1- 
Moreover, we obtain 


o j= 
DEO (2) = EnA = h(y)) 
D(z) = (z = y1) A(z = h(y2)) A (z = A(O)) 
= (yo = b) A (y1 = h(b)) A (z = h(b)) 
WE) (z) = (z = y1) A (b = b) A (A(ya) = A(b)) A (z = h(0)) 
= (yo = b) A (y1 = h(b)) A (z = h(b)) 
) 


We observe that vi) (2) = yË 
3 

Wi?) (2). 

mocordins to our equivalence relation ©», b state of the DTA D, we define for 


states q,q' of D-earliest total deterministic separated basic MTTs M, M’, and 
h > 0, the conjunction gp") by 


b,(q,q') 
AN C A Oa À 
b(fx)—> (b1; bk) ti=Yj;> 
a(fxz,y)—> plt] thay’, 
a! (fz,y!)—plt!] J 
h—1 
A KEP ODEA A 
ti=Yj; Jli t 
aaj (ayy T”) 
h—1 
A ER pE A 
thay’, 


h-1 
PF ona L/y L'/y) n 
ti=qi lwj T G 
eal ey 25) 
ji=i; 
fone h-1 
A BP era IL/) OP Coa EADIE) ) A 
ti=qi lj TD), 
tay ejr 1) 
HAI; 


b(f)—> (b1; bk) 
p#p' ,a(fx,y)—plt] 
qa! (fz,q)—p! [t"] 


a ae is defined in the same lines as the equivalence relation ath), ) CAA 7’) is 


true for all values of output parameters T, T” such that [qa], T) = [d](,Z) 
for t € dom(b) of height at most h. By induction on h > 0, we obtain: 
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Lemma 3. For a given DTA D, states q,q' of D-earliest total separated basic 
MTTs, vectors of trees T,T’ over Ain, b a state of D. s € dom(b), and h > 0 
the following two statements hold: 


p”) 
b,(q.9') 
Every satisfiable conjunction of equalities is equivalent to a (possible empty) 
finite conjunction of equations of the form y; = ti, ti € Ta,,uy where the y; are 
distinct and no equation is of the form y; = y;. We call such conjunctions reduced. 
If we have two inequivalent reduced conjunctions ¢; and ¢2 with ¢; > ¢2 then 
ġı contains strictly more equations. From that follows that for every sequence 
Po > ...¢m Of pairwise inequivalent reduced conjunctions ¢; with k variables, 


m < k+ 1 holds. This observation is crucial for the termination of the fixpoint 
(h) 
b,(4,4')* 


is a conjunction of equations of the form y; = yj, yi = t with t E€ Ain. 


iteration we will use to compute ® 
For h > 0 we have: 


h h-1 
vi (z) > Wf (2) (2) 

(h) = 1) 
Pi (aq! ') = ?, b,(4,9') (3) 


As we fixed the number of output parameters to the number I, for each pair 


(q,q') the conjunction Cs contains at most 2l variables y;, y;. Assuming that 


the MTTs to which state q and d belong have n states each, we conclude that 


a = gn P +) and vin n+) — F for all ¿ > 0. Thus, we 
can define Br (qq) = =o oe Dry q i= o Ae As (q, T) = (q', T) iff 


for all h > 0, (q, T) aus ) (q', I’) holds, observation (3) implies that 


(a, T) =» (d, T") & (4.9) [L/yl[Z"/y'] = true 
Therefore, we have: 


Lemma 4. Fora DTA D, states q,q' of D-earliest separated basic MTTs M, M' 
and states b of D, the formula Py (qq) can be computed in time polynomial in 
the sizes of M and M'. 

Proof. We successively compute the conjunctions wi” (2), wi (2), oF anys 
h > 0, for all states b, q,q'. As discussed before, some h < n?(21 +1) exists such 
that the conjunctions for h + 1 are equivalent to the corresponding conjunctions 
for h—in which case, we terminate. It remains to prove that the conjunctions 
for h can be computed from the conjunctions for h — 1 in polynomial time. For 
that, it is crucial that we maintain reduced conjunctions. Nonetheless, the sizes of 


Deciding Equivalence of Separated Non-nested Attribute Systems 499 


occurring right-hand sides of equalities may be quite large. Consider for example 
the conjunction zı = aA £2 = f(£1, £1) A... AEn = f(£n—-1, Un—-1). The corre- 
sponding reduced conjunction is then given by zı = aA a2 = f(a,a)A...A&n = 
f(f(FC.. (f(a, a)) ...) where the sizes of right-hand sides grow exponentially. In 
order to arrive at a polynomial-size representation, we therefore rely on compact 
representations where isomorphic subtrees are represented only once. W.r.t. this 
representation, reduction of a non-reduced conjunction, implications between 
reduced conjunctions as well as substitution of variables in conjunctions can all 
be realized in polynomial time. From that, the assertion of the lemma follows. 


Example 6. Let D be a DTA with the following rules b(f(x)) — (b), b(g) —> 
() and b(h) — (). Let q and q’ be states of separated basic MTTs M, M’, 
respectively, that are D-earliest and 7, 7’ be the mappings from the states of D 
to the states of M, M’ with (b,q) € m and (b,q’) E w. 


ql f(x), y y2) T a(q(z, b(y1, yı), ce(y2), d)) 
q(9, Y1; Y2) > Yı 
q(h, y1, Y2) > Ye 

q'(F(£), y1: y2) > alq (x, c(y1), bly, y2), d)) 
d (9, Y1: Y2) > YS 
q'(h, yi, Y2) > Vi 


Pe ay = (yr = yh) A (Yo = i) A Olur y) = blyg y) A (elua) = ew) 
( 


. be 0 
= (y = yh) A (y2 = yi) =O 0 


In summary, we obtain the main theorem of our paper. 


Theorem 2. Let (M,A) and (M', A’) be pairs consisting of total deterministic 
separated basic MTTs M, M’ and corresponding axioms A, A’ and D a DTA. 
Then the equivalence of (M,A) and (M', A') relative to D is decidable. If D 
accepts all input trees, equivalence can be decided in polynomial time. 


Proof. By Lemma 2 we build pairs (Mj, A1) and (M1, A1) that are equivalent to 
(M, A) and (M’, A’) where Mı, Mi are D-earliest separated basic MTTs. If D 
is trivial the construction is in polynomial time, cf. Corollary 1. Let the axioms 
be Ai = p|qı (£i, Ti), -- - , de(Lin, Tk)] and A3 = p'lgi (x, Ta), --., 9, (Ei, Te)]- 
According to Lemma 3 (Mı, Aı) and (Mj, A{) are equivalent iff 


—- p= p', k = k' and 
— for all j =1,...,k, Pp (45,45) [3/9 T;/y’] is equivalent to true. 


By Lemma 4 we can decide the second statements in time polynomial in the 
sizes of Mı and Mj. 
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5 Applications 


In this section we show several applications of our equivalence result. First, we 
consider partial transductions of separated basic MTTs. To decide the equiva- 
lence of partial transductions we need to decide (a) whether the domain of two 
given MTTs is the same and if so, (b) whether the transductions on this domain 
are the same. How the second part of the decision procedure is done was shown 
in detail in this paper if the domain is given by a DTA. It therefore remains to 
discuss how this DTA can be obtained. It was shown in [4, Theorem 3.1] that 
the domain of every top-down tree transducer T can be accepted by some DTA 
Br and this automaton can be constructed from T in exponential time. This 
construction can easily be extended to basic MTTs. The decidability of equiv- 
alence of DTAs is well-known and can be done in polynomial time [16,17]. To 
obtain a total transducer we add for each pair (q, f), q E€ Q and f € X that has 
no rule a new rule q(f(z),y) —> L, where L is an arbitrary symbol in Aout of 
rank zero. 7 


Example 7. In Example 1 we discussed how to adjust the transducer from the 
introduction to our formal definition. We therefore had to introduce additional 
rules to obtain a total transducer. Now we still add rules for the same pairs 
(q, f) but only with right-hand sides L. Therefore the original domain of the 
transducer is given by a DTA D = (R, X,ro,ôp) with the rules ro(g(#1, £2)) > 
(r(x1), r(£2)), r(f (a1, £2)) > (r(x1), r(x2)) and r(i) — ( ) for i = 1,2,3. 


Corollary 2. The equivalence of deterministic separated basic MTTs with a 
partial transition function is decidable. 


Next, we show that our result can be used to decide the equivalence of total 
separated basic MTTs with look-ahead. A total macro tree transducer with reg- 
ular look-ahead (MTT?) is a tuple (Q, ©, A, ô, R, ôr) where R is a finite set of 
look-ahead states and dp is a total function from R* — R for every f € XP), 
Additionally we have a deterministic bottom-up tree automaton (P, 2’, 6,—) 
(without final states). A rule of the MTT is of the form 


OT (tis. lg tig sage) > t (P1; -- -3 Pk) 


and is applicable to an input tree f(ti,...,t,) if the look-ahead automaton 
accepts t; in state p; for all i =1,...,k. For every q, f, p1,- --, pk there is exactly 
one such rule. Let Nı = (Qı, Ži, Ai, 64, Ry, Ort); No = (Qo, 29, Ao, 69, Ro, Opa) 
be two total separated basic MTTs with look-ahead. We construct total sepa- 
rated basic MTTs Mı, Mə without look-ahead as follows. The input alphabet 
contains for every f € X and r1,...,rk € Ri, ri,...,7), € Re the symbols 
CF Tagen GTi T1 Th) For q(f(21,.--;£k) yY) > plTi, - --, Tm] (r1,---;rk) and 
q'(f(t1,---,t%),y’) > pP' [Ti ---;Th] (r1 ---;rk) we obtain for M, the rules 


? m 


Gf Bigsing Pe igen, a N A tl) = p[Ty,..., Tm] 
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with Ty = &i( (£j ie Ph Th TI) Zi) £ Ti = qi(£j, Zi) and q:(xj,,y) > 
T, (A... fi) and glez y) > T (hr) ET; = yj then Ty = yj 
The total separated basic MTT Mg is constructed in the same lines. Thus, N;, 
i = 1,2 can be simulated by M;, i = 1,2, respectively, if the input is restricted 
to the regular tree language of new input trees that represent correct runs of the 
look-ahead automata. 


Corollary 3. The equivalence of total separated basic MTTs with regular look- 
ahead is decidable in polynomial time. 


Last, we consider separated basic MTTs that concatenate strings instead 
of trees in the parameters. We abbreviate this class of transducers by MTTY?. 
Thus, the alphabet A;n is not longer a ranked alphabet but a unranked alphabet 
which elements/letters can be concatenated to words. The procedure to decide 
equivalence of MTT”? is essentially the same as we discussed in this paper but 
instead of conjunctions of equations of trees over Aj, UY we obtain conjunctions 
equations of words. Equations of words is a well studied problem [23, 24,26]. In 
particular, the confirmed Ehrenfeucht conjecture states that each conjunction 
of a set of word equations over a finite alphabet and using a finite number of 
variables, is equivalent to the conjunction of a finite subset of word equations [19]. 
Accordingly, by a similar argument as in Sect. 4, the sequences of conjunctions 
Nea rah er (2), Fe) ash > 0, are ultimately stable. Using an encoding of 
words by integer matrices and applying techniques as in [19], we obtain: 


Theorem 3. The equivalence of total separated basic MTTs that concatenate 
words instead of trees in the parameters (Ain is unranked) is decidable. 


6 Related Work 


For several subclasses of attribute systems equivalence is known to be decidable. 
For instance, attributed grammars without inherited attributes are equivalent 
to deterministic top-down tree transducers (DT) [3,5]. For this class equivalence 
was shown to be decidable by Esik [10]. Later, a simplified algorithm was pro- 
vided in [8]. If the tree translation of an attribute grammar is of linear size 
increase, then equivalence is decidable, because it is decidable for deterministic 
macro tree transducers (DMTT) of linear size increase. This follows from the fact 
that the latter class coincides with the class of (deterministic) MSO definable 
tree translations (DMSOTT) [6] for which equivalence is decidable [7]. Figure 3 
shows a Hasse diagram of classes of translations realized by certain determinis- 
tic tree transducers. The prefixes “Il”, “n”, “sn”, “b” and “sb” mean “linear size 
increase”, “non-nested”, “separated non-nested”, “basic” and “separated basic”, 
respectively. A minimal class where it is still open whether equivalence is decid- 
able is the class of non-nested attribute systems (nATT) which, on the macro 
tree transducer side, is included in the class of basic deterministic macro tree 
transducers (bDMTT). 
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DMTT 
A im 
bDMTT ATT DMSOTT 
| ee | 
sbDMTT nATT IATT 
| 
DT snATT 


Fig. 3. Classes with and without (underlined) known decidability of equivalence 


For deterministic top-down tree transducers, equivalence can be decided in 
EXPSPACE, and in NLOGSPACE if the transducers are total [25]. For the latter 
class of transducers, one can decide equivalence in polynomial time by transform- 
ing the transducer into a canonical normal form (called “earliest normal form” ) 
and then checking isomorphism of the resulting transducers [8]. In terms of 
hardness, we know that equivalence of deterministic top-down tree transducers 
is EXPTIME-hard. For linear size increase deterministic macro tree transducers 
the precise complexity is not known (but is at least NP-hard). More complexity 
results are known for other models of tree transducers such as streaming tree 
transducers [1], see [25] for a summary. 


7 Conclusion 


We have proved that the equivalence problem for separated non-nested attribute 
systems can be decided in polynomial time. In fact, we have shown a stronger 
statement, namely that in polynomial time equivalence of separated basic total 
deterministic macro tree transducers can be decided. To see that the latter is a 
strict superclass of the former, consider the translation that takes a binary tree 
as input, and outputs the same tree, but under each leaf a new monadic tree is 
output which represents the inverse Dewey path of that node. For instance, the 
tree f(f(a,a),a) is translated into the tree f(f(a(1(1(e))), a(2(1(e)))), a(2(e))). 
A macro tree transducer of the desired class can easily realize this translation 
using a rule of the form q(f(21,2),y) > f(q(21, 1(y)), q(£2, 2(y))). In contrast, 
no attribute system can realize this translation. The reason is that for every 
attribute system, the number of distinct output subtrees is linearly bounded by 
the size of the input tree. For the given translation there is no linear such bound 
(it is bounded by |s| log(|s])). 

The idea of “separated” to use different output alphabets, is related to the 
idea of transducers “with origin” [2,11]. In future work we would like to define 
adequate notions of origin for macro tree transducer, and prove that equivalence 
of such (deterministic) transducers with origin is decidable. 
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Abstract. This paper poses that transition systems constitute a good 
model of distributed systems only in combination with a criterion telling 
which paths model complete runs of the represented systems. Among 
such criteria, progress is too weak to capture relevant liveness proper- 
ties, and fairness is often too strong; for typical applications we advocate 
the intermediate criterion of justness. Previously, we proposed a defini- 
tion of justness in terms of an asymmetric concurrency relation between 
transitions. Here we define such a concurrency relation for the transition 
systems associated to the process algebra CCS as well as its extensions 
with broadcast communication and signals, thereby making these process 
algebras suitable for capturing liveness properties requiring justness. 


1 Introduction 


Transition systems are a common model for distributed systems. They consist of 
sets of states, also called processes, and transitions—each transition going from 
a source state to a target state. A given distributed system D corresponds to a 
state P in a transition system T—the initial state of D. The other states of D 
are the processes in T that are reachable from P by following the transitions. A 
run of D corresponds with a path in T: a finite or infinite alternating sequence 
of states and transitions, starting with P, such that each transition goes from 
the state before to the state after it. Whereas each finite path in T starting 
from P models a partial run of D, i.e., an initial segment of a (complete) run, 
typically not each path models a run. Therefore a transition system constitutes 
a good model of distributed systems only in combination with what we here call 
a completeness criterion: a selection of a subset of all paths as complete paths, 
modelling runs of the represented system. 

A liveness property says that “something [good] must happen” eventually 
[18]. Such a property holds for a distributed system if the [good] thing happens 
in each of its possible runs. One of the ways to formalise this in terms of transition 
systems is to postulate a set of good states Y, and say that the liveness property 
holds for the process P if all complete paths starting in P pass through a state 
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of Y [16]. Without a completeness criterion the concept of a liveness property 
appears to be meaningless. 


Example 1. The transition system on the right mod- t 
els Cataline eating a croissant in Paris. It abstracts >) >) 
from all activity in the world except the eating of that croissant, and thus has 
two states only—the states of the world before and after this event—and one 
transition t. We depict states by circles and transitions by arrows between them. 
An initial state is indicated by a short arrow without a source state. A possible 
liveness property says that the croissant will be eaten. It corresponds with the set 
of states ¥Y consisting of state 2 only. The states of Y are indicated by shading. 
The depicted transition system has three paths starting with state 1: 1, 1t 
and 1t2. The path 1t2 models the run in which Cataline finishes the croissant. 
The path 1 models a run in which Cataline never starts eating the croissant, and 
the path 1¢ models a run in which Cataline starts eating it, but never finishes. 
The liveness property ¥ holds only when using a completeness criterion that 
rules out the paths 1 and 1¢ as modelling actual runs of the system, leaving 1 ¢2 
as the sole complete path. 


The transitions of transition systems can be understood to model atomic actions 
that can be performed by the represented systems. Although we allow these 
actions to be instantaneous or durational, in the remainder of this paper we 
adopt the assumption that “atomic actions always terminate” [23]. This is a 
partial completeness criterion. It rules out the path 1t in Example 1. We build 
in this assumption in the definition of a path by henceforth requiring that finite 
paths should end with a state. 


Progress. The most widely employed completeness criterion is progress.' In the 
context of closed systems, having no run-time interactions with the environment, 
it is the assumption that a run will never get stuck in a state with outgoing 
transitions. This rules out the path 1 in Example 1, as t is outgoing. When 
adopting progress as completeness criterion, the liveness property Y holds for 
the system modelled in Example 1. 

Progress is assumed in almost all work on process algebra that deals with 
liveness properties, mostly implicitly. Milner makes an explicit progress assump- 
tion for the process algebra CCS in [20]. A progress assumption is built into the 
temporal logics LTL [24], CTL [7] and CTL* [8], namely by disallowing states 
without outgoing transitions and evaluating temporal formulas by quantifying 
over infinite paths only.? In [17] the ‘multiprogramming axiom’ is a progress 
assumption, whereas in [1] progress is assumed as a ‘fundamental liveness 
property’. 

1 Misra [21,22] calls this the ‘minimal progress assumption’. In [22] he uses ‘progress’ 
as a synonym for ‘liveness’. In session types, ‘progress’ and ‘global progress’ are used 
as names of particular liveness properties [4]; this use has no relation with ours. 

? Exceptionally, states without outgoing transitions are allowed, and then quantifica- 
tion is over all maximal paths, i.e. paths that are infinite or end in a state without 
outgoing transitions [5]. 
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As we argued in [10,15,16], a progress assumption as above is too strong 
in the context of reactive systems, meaning that it rules out as incomplete too 
many paths. There, a transition typically represents an interaction between the 
distributed system being modelled and its environment. In many cases a transi- 
tion can occur only if both the modelled system and the environment are ready 
to engage in it. We therefore distinguish blocking and non-blocking transitions. A 
transition is non-blocking if the environment cannot or will not block it, so that 
its execution is entirely under the control of the system under consideration. A 
blocking transition on the other hand may fail to occur because the environment 
is not ready for it. The same was done earlier in the setting of Petri nets [26], 
where blocking and non-blocking transitions are called cold and hot, respectively. 

In [10,15,16] we worked with transition systems that are equipped with a 
partitioning of the transitions into blocking and non-blocking ones, and refor- 
mulated the progress assumption as follows: 


a (transition) system in a state that admits a non-blocking transition will 
eventually progress, i.e., perform a transition. 


In other words, a run will never get stuck in a state with outgoing non-blocking 
transitions. In Example 1, when adopting progress as our completeness crite- 
rion, we assume that Cataline actually wants to eat the croissant, and does not 
willingly remain in State 1 forever. When that assumption is unwarranted, one 
would model her behaviour by a transition system different from that of Exam- 
ple 1. However, she may still be stuck in State 1 by lack of any croissant to eat. 
If we want to model the capability of the environment to withhold a croissant, 
we classify ¢ as a blocking transition, and the liveness property Y does not hold. 
If we abstract from a possible shortage of croissants, t is deemed a non-blocking 
transition, and, when assuming progress, Y holds. 

As an alternative approach to a dogmatic division of transitions in a transi- 
tion system, we could shift the status of transitions to the progress property, and 
speak of B-progress when B is the set of blocking transitions. In that approach, 
g holds for State 1 of Example 1 under the assumption of B-progress when 
t € B, but not when t € B. 


Justness. Justness is a completeness criterion proposed in [10,15,16]. It strength- 
ens progress. It can be argued that once one adopts progress it makes sense to 
go a step further and adopt even justness. 


Example 2. The transition system on the top right models 
Alice making an unending sequence of phone calls in Lon- Pae 
don. There is no interaction of any kind between Alice and 

Cataline. Yet, we may chose to abstracts from all activity t 

in the world except the eating of the croissant by Cataline, <a CS 
and the making of calls by Alice. This yields the combined 

transition system on the bottom right. Even when taking the 


transition t to be non-blocking, progress is not a strong enough completeness 
criterion to ensure that Cataline will ever eat the croissant. For the infinite path 
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that loops in the first state is complete. Nevertheless, as nothing stops Cataline 
from making progress, in reality t will occur [16]. 


This example is not a contrived corner case, but a rather typical illustration of 
an issue that is central to the study of distributed systems. Other illustrations of 
this phenomena occur in [10, Section 9.1], [14, Section 10], [11, Section 1.4], [12] 
and [6, Section 4]. The criterion of justness aims to ensure the liveness property 
occurring in these examples. In [16] it is formulated as follows: 


Once a non-blocking transition is enabled that stems from a set of parallel 
components, one (or more) of these components will eventually partake in 
a transition. 


In Example 2, t is a non-blocking transition enabled in the initial state. It stems 
from the single parallel component Cataline of the distributed system under 
consideration. Justness therefore requires that Cataline must partake in a tran- 
sition. This can only be t, as all other transitions involve component Alice only. 
Hence justness says that t must occur. The infinite path starting in the initial 
state and not containing t is ruled out as unjust, and thereby incomplete. 

In [13,16] we explain how justness is fundamentally different from fairness, 
and why fairness is too strong a completeness criterion for many applications. 

Unlike progress, the concept of justness as formulated above is in need of 
some formalisation, i.e., to formally define a component, to make precise for 
concrete transition systems what it means for a transition to stem from a set of 
components, and to define when a component partakes in a transition. 

A formalisation of justness for the transition system generated by the process 
algebra AWN, the Algebra for Wireless Networks [9], was provided in [10]. In the 
same vain, [15] offered a formalisation for the transition systems generated by 
CCS [20], and its extension ABC, the Algebra of Broadcast Communication [15], 
a variant of CBS, the Calculus of Broadcasting Systems [25]. The same was done 
for CCS extended with signals in [6]. These formalisations coinductively define 
B-justness, where B ranges over sets of transitions deemed to be blocking, as a 
family of predicates on paths, and proceed by a case distinction on the operators 
in the language. Although these definitions do capture the concept of justness 
formulated above, it is not easy to see why. 

A more syntax-independent formalisation of justness occurs in [16]. There 
it is defined directly on transition systems equipped with a, possibly asymmet- 
ric, concurrency relation between transitions. However, the concurrency relation 
itself is defined only for the transition system generated by a fragment of CCS, 
and the generalisation to full CCS, and other process algebras, is non-trivial. 

It is the purpose of this paper to make the definition of justness from [16] 
available to a large range of process algebras by defining the concurrency relation 
for CCS, for ABC, and for the extension of CCS with signals used in [6]. We do 
this in a precise as well as in an approximate way, and show that both approaches 
lead to the same concept of justness. Moreover, in all cases we establish a closure 
property on the concurrency relation ensuring that justness is a meaningful 
notion. We show that for all these algebras justness is feasible. Here feasibility is a 
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requirement on completeness criteria advocated in [1, 16,19]. Finally, we establish 
agreement between the formalisation of justness from [16] and the present paper, 
and the original coinductive ones from [15] and [6]. 


2 Labelled Transition Systems with Concurrency 


We start with the formal definitions of a labelled transition system, a path, 
and the completeness criterion progress, which is parametrised by the choice of 
a collection B of blocking actions. Then we define the completeness criterion 
justness on labelled transition system upgraded with a concurrency relation. 


Definition 1. A labelled transition system (LTS) is a tuple (S, Tr, src, target, £) 
with S and Tr sets (of states and transitions), src, target: Tr + S and £: Tr —> 
[L , for some set of transition labels 2%. 


Here we work with LTSs labelled over a structured set of labels (Z, Act, Rec), 
where Rec C Act C Z. Labels in Act are actions; the ones in Z \ Act are signals. 
Transitions labelled with actions model a state chance in the represented system; 
signal transitions do not—they satisfy src(t) = target(t) and merely convey a 
property of a state. Rec C Act is the set of receptive actions; sets B C Act 
of blocking actions must always contain Rec. In CCS and most other process 
algebras Rec = @ and Act = Z. Let Tr? = {t € Tr | L(t) € Act \ Rec} be the set 
of transitions that are neither signals nor receptive. 


Definition 2. A path in a transition system (S, Tr, src, target) is an alternating 
sequence so ty 5; t2S2--- of states and non-signal transitions, starting with a 
state and either being infinite or ending with a state, such that src(t;) = si—1 
and target(t;) = s; for all relevant i. 


A completeness criterion is a unary predicate on the paths in a transition system. 


Definition 3. Let B C Act be a set of actions with Rec C B—the blocking 
ones. Then Tr? p := {t € Tr® | E(t) € B} is the set of non-blocking transitions. 
A path in T is B-progressing if either it is infinite or its last state is the source 
of no non-blocking transition t € Tr? p. 


B-progress is a completeness criterion for any choice of B C Act with Rec C B. 


Definition 4. A labelled transition system with concurrency (LTSC) is a tuple 
(S, Tr, src, target, £, —*) consisting of a LTS (S, Tr, src, target, £) and a concur- 
rency relation —* C Tr? x Tr, such that: 


tt for allt € Tr’, (1) 


if t € Tr° and z is a path from src(t) to s € S such that t — v for 
all transitions v occurring in 7, then there is a u € Tr? such that (2) 
src(u) = s, ((u) = &(t) and t + u. 
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Informally, t — v means that the transition v does not interfere with t, in the 
sense that it does not affect any resources that are needed by t, so that in a state 
where ¢ and v are both possible, after doing v one can still do (a future variant 
u of) t. In many transition systems ~* is a symmetric relation, denoted ~. 
The transition relation in a labelled transition system is often defined as 
a relation Tr C S x Z x S. This approach is not suitable here, as we will 
encounter multiple transitions with the same source, target and label that ought 
to be distinguished based on their concurrency relations with other transitions. 


Definition 5. A path v in an LTSC is B-just, for Rec C B C Act, if for each 
transition t € Tr? p with s := src(t) € 7, a transition u occurs in the suffix of 7 
starting at s, such that t /* u. 


Informally, justness requires that once a non-blocking non-signal transition t is 
enabled, sooner or later a transition u will occur that interferes with it, possibly 
t itself. Note that, for any Rec C B C Act, B-justness is a completeness criterion 
stronger than B-progress. 


Components. Instead of introducing ~ as a primitive, it is possible to obtain 
it as a notion derived from two functions npc, afe : Tr > A(@), for a given 
set of components @. These functions could then be added as primitives to the 
definition of an LTS. They are based on the idea that a process represents a 
system built from parallel components. Each transition is obtained as a synchro- 
nisation of activities from some of these components. Now npc(t) describes the 
(nonempty) set of components that are necessary participants in the execution 
of t, whereas afc(t) describes the components that are affected by the execution 
of t. The concurrency relation is then defined by 


tu & npc(t)Nafc(u) =O 


saying that u interferes with t iff a necessary participant in t is affected by u. 
Most material above stems from [16]. However, there Tr? = Tr, so that —* 
is irreflexive, i.e., npc(t) N afc(t) # Ø for all t € Tr. Moreover, a fixed set B 
is postulated, so that the notions of progress and justness are not explicitly 
parametrised with the choice of B. Furthermore, property (2) is new here; it is 
the weakest closure property that supports Theorem 1 below. In [16] only the 
model in which ~* is derived from npc and afc comes with a closure property: 


If t,v € Tr® with src(t) = src(v) and npc(t) N afc(v) = 0, then (3) 
Ju € Tr® with src(u) = target(v), Ku) = L(t) and npc(u) = npc(t). 


Trivially (3) implies (2). 

An important requirement on completeness criteria is that any finite path 
can be extended into a complete path. This requirement was proposed by Apt, 
Francez and Katz in [1] and called feasibility. It also appears in Lamport [19] 
under the name machine closure. The theorem below list conditions under which 
B-justness is feasible. Its proof is a variant of a similar theorem from [16] showing 
conditions under which notions of strong and weak fairness are feasible. 
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Table 1. Structural operational semantics of CCS 
a $ a 1 
a.P 5 P (Acr) AL (SuM-L) ee (SUM-R) 
P+Q—+P' P+ —> Q 
n / g 1 g $ n 1 
a o (PAR-L) as a Q => (Comm) a (PAR-R) 
PIQ — PQ PIQ — P'|Q’ PIQ — P|Q’ 
£ 1 £ 1 
= = £ (€,£ g L) (Res) o (REL) PP (A= a P) (Rec) 
P\L — P\L Pf] — P'[f] AS 


Theorem 1. If, in an LTSC with set of blocking actions B, only countably many 
transitions from Tr? g are enabled in each state, then B-justness is feasible. 


All proofs can found in the full version of this paper [13]. 


3 CCS and Its Extensions with Broadcast and Signals 


This section presents four process algebras: Milner’s Calculus of Communicating 
Systems (CCS) [20], its extensions with broadcast communication ABC [15] and 
signals CCSS [6], and an alternative presentation of ABC that avoids negative 
premises in favour of discard transitions. 


3.1 CCS 


CCS [20] is parametrised with sets <& of agent identifiers and Gn of (hand- 
shake communication) names; each A € & comes with a defining equation 
A“! P with P being a CCS expression as defined below. 6h := {@| c € ns 
is the set of co-names. Complementation is extended to @, by setting é = c. 
Act := Cn Ù Gha Ù {r} is the set of actions, where r is a special internal action. 
Below, c ranges over Gn U Gn, N, a, £ over Act, and A,B over &. A relabelling 
is a function f: Cp —> Gp; it extends to Act by f(@) = f(c) and f(r) := 7. The 
set Pocs of CCS expressions or processes is the smallest set including: 


0 inaction 

a.P for a € Act and P € Pecs action prefixing 
P+Q_ for P,Q €Pacs choice 

PQ for P,Q € Pecs parallel composition 
P\L for L C Gn and P € Pecs restriction 

Pf] for f a relabelling and P € Pecs relabelling 

A for AE & agent identifier 


One often abbreviates a.0 by a, and P\{c} by P\c. The traditional semantics 
of CCS is given by the labelled transition relation —> C Pecs x Act x Pecs, 


where transitions P > Q are derived from the rules of Table 1. 
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Table 2. Structural operational semantics of ABC broadcast communication 


(BRo-L) (BRO-c) (BRO-R) 
P% P, Q P P, aBa, EE 17 PE% g by Q 
yofo=tA~_ ! ! — 
PQ ŽS PQ  PIQ PQ’ ali 2 PIQ 2% Pig’ 


3.2 ABC—The Algebra of Broadcast Communication 


The Algebra of Broadcast Communication (ABC) [15] is parametrised with sets 
A of agent identifiers, Z of broadcast names and Gp of handshake communica- 
tion names; each A € & comes with a defining equation A 4! P with P being 
a guarded ABC expression as defined below. 
The collections 4! and &? of broadcast and receive actions are given by 

Bt := {bt | be B} for te {1,2}. Act := B! Ù B? Ù Cn UG, Ò {r} is the set of 
actions. Below, A ranges over &, b over ZB, c over Gn U Gha, N over Gn U Gp U id 
and a,l over Act. A relabelling is a function f : (4 — B) U (Chn — Gp). It 
extends to Act by f(c) = f(c), f(bt) = f(b)t and f(r) := r. The set Page of 
ABC expressions is defined exactly as Pecs. An expression is guarded if each 
agent identifier occurs within the scope of a prefixing operator. The structural 
operational semantics of ABC is the same as the one for CCS (see Table 1) but 
augmented with the rules for broadcast communication in Table 2. 

ABC is CCS augmented with a formalism for broadcast communication taken 
from the Calculus of Broadcasting Systems (CBS) [25]. The syntax without 
the broadcast and receive actions and all rules except (BRO-L), (BRO-c) and 
(BRo-R) are taken verbatim from CCS. However, the rules now cover the dif- 
ferent name spaces; (ACT) for example allows labels of broadcast and receive 
actions. The rule (BRO-c)—without rules like (PAR-L) and (PAR-R) with label 
b!—implements a form of broadcast communication where any broadcast b! per- 
formed by a component in a parallel composition is guaranteed to be received 
by any other component that is ready to do so, i.e., in a state that admits a 
b?-transition. In order to ensure associativity of the parallel composition, one 
also needs this rule for components receiving at the same time (#1=t2.=?). The 
rules (BRO-L) and (BRO-R) are added to make broadcast communication non- 
blocking: without them a component could be delayed in performing a broadcast 
simply because one of the other components is not ready to receive it. 


3.3 CCS with Signals 


CCS with signals (CCSS) [6] is CCS extended with a signalling operator P’s. 
Informally, P’s emits the signal s to be read by another process. P’s could for 
instance be a traffic light emitting the signal red. The reading of the signal 
emitted by P’s does not interfere with any transition of P, such as jumping to 
green. Formally, CCS is extended with a set Z of signals, ranged over by s and r. 
In CCSS the set of actions is defined as Act := Z UG, UG, Ù {7}, and the set 
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Table 3. Structural operational semantics for signals of CCSS 


z Ej I 5 1 
P's > P's enia = 
P+Q—>P'+Q P+Q—-+P+Q 
PSP PŠ P Pup ef 
Z = = (a@ P) 
Pr — P' Pr —> Py A—>A 


of labels by Z := Act U.S, where .Y := {5 | s € Z}. A relabelling is a function 
F: (Z > P) U (Cn > Gn). It extends to Z by f(E)= f(c) force @ U Z and 
f(T) := T. The set Pocgs of CCSS expressions is defined just as Pecs, but now 
also P’s is a process for P € Pccss and s € Z, and restriction also covers signals. 

The semantics of CCSS is given by the labelled transition relation —> C 
Pocss x -Z x Pocss derived from the rules of CCS (Table 1), where now 7, @ 
range over Z, a over Act, c over G, UY and L C 6h U Z, augmented with the 
rules of Table3. The first rule is the base case showing that a process P’s emits 
the signal s. The rule below models the fact that signalling cannot prevent a 
process from making progress. 

The original semantics of CCSS [6] featured unary predicates PAS on pro- 
cesses to model that P emits the signal s; here, inspired by [3], these predicates 


are represented as transitions P > P. Whereas this leads to a simpler opera- 
tional semantics, the price paid is that these new signal transitions need special 
treatment in the definition of justness—cf. Definitions 2 and 5. 


3.4 Using Signals to Avoid Negative Premises in ABC 


Finally, we present an alternative operational semantics ABCd of ABC that 
avoids negative premises. The price to be paid is the introduction of signals 
that indicate when a state does not admit a receive action. To this end, let 
B: = {b: | b € B} be the set of broadcast discards, and Z := Z: Ù Act the 
set of transition labels, with Act as in Sect.3.2. The semantics is given by the 
labelled transition relation —> C Pago x -Z x Pago derived from the rules of 
CCS (Table 1), where now c ranges over Gn U Gp, n over Gn UG, U {7}, @ over 
Act and £ over Z, augmented with the rules of Table 4. 


Lemma 1. [25] P > Q if Q = PA P, for P,Q € Page and be Z. 


So the structural operational semantics of ABC from Sects. 3.2 and 3.4 yield the 
same labelled transition relation —> when transitions labelled b: are ignored. 
This approach stems from the Calculus of Broadcasting Systems (CBS) [25]. 


3 A state P admits an action a € Act if there exists a transition P >Q, 
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Table 4. SOS of ABC broadcast communication with discard transitions 


PÈ PQQ 


050 a.P 3 a.P (a+b?) 2 
a P+Q—-5 P'+Q’ 
ol! 7 
PsP, QB a le PAP ok 
= Q tofa=t4_ with ol1 99 — (A lef P) 
P|Q > Pld anaes ASA 


4 An LTS with Concurrency for CCS and Its Extensions 


The forthcoming material applies to each of the process algebras from Sect. 3, 
or combinations thereof. Let P be the set of processes in the language. 
We allocate an LTS as in Definition 1 to these languages by taking S' to be 


the set P of processes, and Tr the set of derivations t of transitions P = Q with 
P,Q € P. Of course src(t) = P, target(t) =Q and ¢(t) = £. Here a derivation of a 
transition P > Q is a well-founded tree with the nodes labelled by transitions, 
such that the root has label P > Q, and if u is the label of a node and K is 
the set of labels of the children of this node then x is an instance of a rule of 
Tables 1, 2, 3 and 4. 

We take Rec := Z? in ABC and ABCd: broadcast receipts can always be 
blocked by the environment, namely by not broadcasting the requested message. 
For CCS and CCSS we take Rec := Ø, thus allowing environments that can 
always participate in certain handshakes, and/or always emit certain signals. 

Following [15], we give a name to any derivation of a transition: The unique 


derivation of the transition a.P + P using the rule (AcT) is called P. The 
unique derivation of the transition P’s —> P’s is called P~*. The derivation 
obtained by application of (COMM) or (BRO-C) on the derivations t and u of 
the premises of that rule is called t|u. The derivation obtained by application of 
(PAR-L) or (BRO-L) on the derivation t of the (positive) premise of that rule, 
and using process Q at the right of |, is t|Q. In the same way, (PAR-R) and 
(BRo-R) yield P|u, whereas (SUM-L), (SUM-R), (RES), (REL) and (REC) yield 
t+Q, P+t, t\L, t[f] and A:t. These names reflect syntactic structure: t|P 4 Plt 
and (t|u)|v A t|(ulv). 

Table 3, moreover, contributes derivations tr. The derivations obtained by 
application of the rules of Table 4 are called b:0, b:a.P, t+, t|u and A:t, where 
t and u are the derivations of the premises. 


Synchrons. Let Arg := {+1, +r; lu; |r, \L, [J], A:r | L C GA fa relabelling A 
AEA Ar €.S}. A synchron is an expression o(P) or ¢(P~*) or o(b:) with 
a € Arg*, a € Act, s€ Z, PEP and be Z&. An argument ı € Arg is applied 
componentwise to a set X of synchrons: (X) := {uc | s € X}. 
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The set of synchrons ¢(t) of a derivation t of a transition is defined by 


(SP) = {(4P)} s(t+Q) = +zrs(t) (P+t) = +rs(t) 
sQ) = les) s(tlu) = |es(t)Ulrs(u)  s(Pļu) = |rs(u) 
s(t\L) = Ws sf = so s(A:t) = A:s(t) 
s(P™) = {(P~*)} (tr) = oft) 

s(b:0) = {(b:)} s(b:a.P) = {(b:)} s(t +v) = +16(t) U +rs(v) 


Thus, a synchron of t represents a path in the proof-tree t from its root to a leaf. 
Each transition derivation can be seen as the synchronisation of one or more 
synchrons. Note that we use the symbol ç as a variable ranging over synchrons, 
and as the name of a function—context disambiguates. 


Example 3. The CCS process P = ((c.Q + (d.Rle.S))|@.T) \c has 3 outgoing 
transitions: P > (Q|T)\c, P 4 ((Rle.S)|T)\c and P > ((d.R|S)|E.T)\c. 
Let t-, tg and te € Tr be the unique derivations of these transitions. Then 
t, is a synchronisation of two synchrons, whereas tq and te € Tr have only 
one each: <(t-) = {\elz +2(2Q); \ela(-2T)}, s(ta) = {\elz +r lz(SR)} and 
s(te) = {\c lz +r |R(ŻS)}. The derivations tg and te € Tr can be seen as concur- 
rent, because their synchrons come from opposite sides of the same parallel com- 
position; one would expect that after one of them occurs, a variant of the other 
is still possible. Indeed, there is a transition ((d.R|S)|z.T)\c -> ((R|S)|z.T)\c. 
Let t} be its unique derivation. The derivation tg and t} are surely differ- 
ent, a they have a different source state. Even their apachions are different: 

s(t) = {\clz | L(ŻR)}. Nevertheless, t} can be recognised as a future variant of 
ta: its only synchron has merely lost an argument +p. This choice got resolved 
when taking the transition te. 


We proceed to formalise the concepts “future variant” and “concurrent” that 
occur above, by defining two binary relations ~ C Tr® x Tr® and — C Tr® x Tr 
such that the following properties hold: 


The relation ~œ is reflexive and transitive. (4) 
If t~ t and t ~* v, then t —* v. (5) 
If t —* v with src(t) = src(v) then At’ with src(t’) = target(v) and t~ t’. (6) 
If t~ t then L(t) = L(t) and t x t. (7) 


With t —* v we mean that the possible occurrence of t is unaffected by the 
occurrence of v. Although for CCS the relation ~* is symmetric (and Tr? = Tr), 
for ABC and CCSS it is not: 


Example 4 ([15]). Let P be the process b!|(b? + c), and let t and v be the 
derivations of the b!- and c-transitions of P. The broadcast b! is in our view 
completely under the control of the left component; it will occur regardless of 
whether the right component listens to it or not. It so happens that if b! occurs 
in state P, the right component will listen to it, thereby disabling the possible 
occurrence of c. For this reason we have t — v but v * t. 
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Example 5. Let P be the process a’s|s, and let t and v be the derivations of 
the a- and t-transitions of P. The occurrence of a disrupts the emission of the 
signal s, thereby disabling the 7-transition. However, reading the signal does not 
affect the possible occurrence of a. For this reason we have t — v but v ¥* t. 


Proposition 1. Assume (4)-(7). Then the LTS (P, Tr, src, target, £), augmented 
with the concurrency relation —*, is an LTSC in the sense of Definition 4. 


We now proceed to define the relations ~ and ~* on synchrons, and then 
lift them to derivations. Subsequently, we establish (4)—(7). 

The elements +, +r, A: and r of Arg are called dynamic [20]; the others are 
static. (Static operators stay around when their arguments perform transitions.) 
For ø € Arg” let static(c) be the result of removing all dynamic elements from 
o. For ç = ov with v € {(“P),(P~S), (b:)} let static(s) := static(a)v. 


Definition 6. A synchron ¢’ is a possible successor of a synchron ç, notation 
ç~ ç', if either ¢’ = ç, or ç has the form 01| ps2 for some a; € Arg*, D € {L, R} 
and s2 a synchron, and ç’ = static(o1)|p6a. 


Definition 7. Two synchrons ç and v are directly concurrent, notation ¢ ~a V, 
if ç has the form oj|ps2 and v = o1|gv2 with {D, E} = {L, R}. Two synchrons 
ç' and v’ are concurrent, notation ç~ v’, if Is,v. g e s Va v ~ v. 


Necessary and Active Synchrons. All synchrons of the form o(P) are active; 
their execution causes a transition a.P > P in the relevant component of the 
represented system. Synchrons o(P~*) and o(b:) are passive; they are not affect- 
ing any state change. Let ac(t) denote the set of active synchrons of a derivation 
t. So a transition t is labelled by a signal, i.e. L(t) ¢ Act, iff ac(t) = 0. 

Whether a synchron ç € ¢(t) is necessary for t to occur is defined only for 
t € Tr°. If t is the derivation of a broadcast transition, i.e., (t) = b! for some 
b € Z, then exactly one synchron v € ¢(t) is of the form o(2sP), while all the 
other ç € ¢(t) are of the form o'(3Q) (or possibly o’(b:) in ABCd). Only the 
synchron v is necessary for the broadcast to occur, as a broadcast is unaffected 
by whether or not someone listens to it. Hence we define nc(t) := {v}. For all 
tE T° with (t) ¢ A! (ie. C(t) E€ HUG, UG, U {r}) we set no(t) := s(t), 
thereby declaring all synchrons of the derivation necessary. 


Definition 8. A derivation t € Tr° is a possible successor of a derivation t € 
Tr’, notation t ~ t’, if t and t have equally many necessary synchrons and each 
necessary synchron of t’ is a possible successor of one of t; i.e., if |n¢(t)| = |n<(t’)| 
and Vc! € nc(t’). do € nc(t).¢ ~ Ş. 


This implies that the relation ~> between nc¢(t) and nc(u) is a bijection. 


Definition 9. Derivation t € Tr® is unaffected by u, notation t — u, if Ys € 
ns(t). Vv E€ aç(u). ç ~ v. 
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So t is unaffected by u if no active synchron of u interferes with a necessary 
synchron of t. Passive synchrons do not interfere at all. 

In Example 3 one has tg ~ te, ta œ t} and t} ~ te. Here t ~ u denotes 
tunu t. 


Proposition 2. The relations ~ and ~- satisfy the properties (4)-(7). 


5 Components 


This section proposes a concept of system components associated to a transi- 
tion, with a classification of components as necessary and/or affected. We then 
define a concurrency relation —*, in terms of these components closely mirroring 
Definition 9 in Sect. 4 of the concurrency relation ~* in terms of synchrons. We 
show that ~* and ~*,, as well as the concurrency relation defined in terms of 
components in Sect. 2, give rise to the same concept of justness. 

A static component is a string o € Arg* of static arguments. Let @ be the 
set of static components. The static component c(s) of a synchron ¢ is defined 
to be the largest prefix y of ç that is a static component. 

Let comp(t) := {c(s) | s € s(t) } be the set of static components of t. Moreover, 
npc(t) := {c(s) | s E€ ns(t)} and afc(t) := {c(s) | s € ac(t)} are the necessary 
and affected static components of t € Tr. Since ns(t) C s(t) and ac(t) C s(t), we 
have npc(t) C comp(t) and afc(t) C comp(t). 

Two static components y and ô are concurrent, notation y ~ ô, if y = o1|p7e 
and ô = 01|g62 with {D, E} = {L, R}. 


Definition 10. Derivation t € Tr° is statically unaffected by u, t —*, u, iff 
Vy € npc(t). Vd € afc(u).y ~ ô. 


Proposition 3. If t~*, u then t — u. 


In Example 3 we have tg ~ te but tg Xs te, for npc(te) = comp(te) = comp(ta) = 
afc(ta) = {\cl|z}. Here t ~, u denotes t —*, u Au ~*, t. Hence the implication 
of Proposition 3 is strict. 


Proposition 4. The functions npc and afc: Tr + Y(@) satisfy closure prop- 
erty (3) of Sect. 2. 


The concurrency relation ~*, defined in terms of static components according 
to the template in [16], recalled in Sect. 2, is not identical to —*,: 


Definition 11. Let t,u be derivations. Write t —*, u iff npc(t) N afc(u) = 0. 


Nevertheless, we show that for the study of justness it makes no difference 
whether justness is defined using the concurrency relation —*, —*, or —*¢. 


Theorem 2. A path is —*-B-just iff it is ~*,-B-just iff it is ~*,-B-just. 
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6 A Coinductive Characterisation of Justness 


In this section we show that the ~*-based concept of justness defined in this 
paper coincides with a coinductively defined concept of justness, for CCS and 
ABC originating from [15]. To state the coinductive definition of justness, we 
need to define the notion of the decomposition of a path starting from a process 
with a leading static operator. 

Any derivation t € Tr of a transition with src(t) = P|Q has the shape 


— ulQ, with target(t) = target(u)|Q, 
— ulv, with target(t) = target(u)|target(v), 
— or Plu, with target(t) = P|target(v). 


Let a path of a process P be a path as in Definition 2 starting with P. Now the 
decomposition of a path m of P|Q into paths mı and 72 of P and Q, respectively, 
is obtained by concatenating all left-projections of the states and transitions of 7 
into a path of P and all right-projections into a path of Q—notation 7 > mı|r2. 
Here it could be that 7 is infinite, yet either mı or m2 (but not both) are finite. 

Likewise, t € Tr with src(t) = P[f] has the shape u[f] with target(t) = 
target(u)[f]. The decomposition x’ of a path m of P[f] is the path obtained 
by leaving out the outermost [f] of all states and transitions in 7, notation 
T => T'[f]. In the same way one defines the decomposition of a path of P\c. 

The following co-inductive definition of the family B-justness of predicates 
on paths, with one family member of each choice of a set B of blocking actions, 
stems from [15, Appendix E]—here D := {@| c€ D}. 


Definition 12. B-justness, for #? C B C Act, is the largest family of predi- 
cates on the paths in the LTS of ABC such that 


— a finite B-just path ends in a state that admits actions from B only; 

— a B-just path of a process P|Q can be decomposed into a C-just path of P 
and a D-just path of Q, for some C, D C B such that 7 € BV CAD = 0; 

— a B-just path of P\L can be decomposed into a BU LU L-just path of P; 

— a B-just path of P[f] can be decomposed into an f~!(B)-just path of P; 

— and each suffix of a B-just path is B-just. 


Intuitively, justness is a completeness criterion, telling which paths can actually 
occur as runs of the represented system. A path is B-just if it can occur in an 
environment that may block the actions in B. In this light, the first, third, fourth 
and fifth requirements above are intuitively plausible. The second requirement 
first of all says that if r > m1|72 and m can occur in the environment that 
may block the actions in B, then mı and m2 must be able to occur in such 
an environment as well, or in environments blocking less. The last clause in this 
requirement prevents a C-just path of P and a D-just path of Q to compose into 
a B-just path of P|Q when C contains an action c and D the complementary 
action € (except when T € B). The reason is that no environment (except one 
that can block r-actions) can block both actions for their respective components, 
as nothing can prevent them from synchronising with each other. 
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The fifth requirement helps characterising processes of the form b+ (Alb) and 
a.(A|b), with A W aA. Here, the first transition ‘gets rid of’ the choice and of 
the leading action a, respectively, and this requirement reduces the justness of 
paths of such processes to their suffixes. 


Example 6. To illustrate Definition 12 consider the unique infinite path of the 
process Alice|Cataline of Example 2 in which the transition t does not occur. 
Taking the empty set of blocking actions, we ask whether this path is @-just. If 
it were, then by the second requirement of Definition 12 the projection of this 
path on the process Cataline would need to be -just as well. This is the path 1 
(without any transitions) in Example 1. It is not -just by the first requirement 
of Definition 12, because its last state 1 admits a transition. 


We now establish that the concept of justness from Definition 12 agrees with the 
concept of justness defined earlier in this paper. 


Theorem 3. A path is ~*,-B-just iff it is B-just in the sense of Definition 12. 


If a path v is B-just then it is C-just for any C D B. Moreover, the collection 
of sets B such that a given path 7 is B-just is closed under arbitrary intersection, 
and thus there is a least set B, such that m is B-just. Actions a € Z, are called 
m-enabled [14]. A path is called just (without a predicate B) iff it is B-just 
for some Z? CBC B? Ù Gn, U Gp, US [3,6,14,15], which is the case iff it is 
B? Ù Cn UG, Ù f-just. 

In [3] a definition of justness for CCS with signal transition appears, very 
similar to Definition 12; it also applies to CCSS as presented here. Generalising 
Theorem 3, one can show that a path is (~*, or ~*, or) ~*-just iff it is just in 
this sense. The same holds for the coinductive definition of justness from [6]. 


7 Conclusion 


We advocate justness as a reasonable completeness criterion for formalising live- 
ness properties when modelling distributed systems by means of transition sys- 
tems. In [16] we proposed a definition of justness in terms of a, possibly asym- 
metric, concurrency relation between transitions. The current paper defined such 
a concurrency relation for the transition systems associated to CCS, as well as 
its extensions with broadcast communication and signals, thereby making the 
definition of justness from [16] available to these languages. In fact, we pro- 
vided three versions of the concurrency relation, and showed that they all give 
rise to the same concept of justness. We expect that this style of definition will 
carry over to many other process algebras. We showed that justness satisfies the 
criterion of feasibility, and proved that our formalisation agrees with previous 
coinductive formalisations of justness for these languages. 

Concurrency relations between transitions in transition systems have been 
studied in [28]. Our concurrency relation ~* follows the same computational 
intuition. However, in [28] transitions are classified as concurrent or not only 
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when they have the same source, whereas as a basis for the definition of justness 
here we need to compare transitions with different sources. Apart from that, our 
concurrency relation is more general in that it satisfies fewer closure properties, 
and moreover is allowed to be asymmetric. 

Concurrency is represented explicitly in models like Petri nets [26], event 
structures [29], or asynchronous transition systems [2,27,30]. We believe that the 
semantics of CCS in terms of such models agrees with its semantics in terms of 
labelled transition systems with a concurrency relation as given here. However, 
formalising such a claim requires a choice of an adequate justness-preserving 
semantic equivalence defined on the compared models. Development of such 
semantic equivalences is a topic for future research. 


Acknowledgement. I am grateful to Peter Höfner, Victor Dyseryn and Filippo de 
Bortoli for valuable feedback. 
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Abstract. There are different categorical approaches to variations of 
transition systems and their bisimulations. One is coalgebra for a functor 
G, where a bisimulation is defined as a span of G-coalgebra homomor- 
phism. Another one is in terms of path categories and open morphisms, 
where a bisimulation is defined as a span of open morphisms. This simi- 
larity is no coincidence: given a functor G, fulfilling certain conditions, we 
derive a path-category for pointed G-coalgebras and lax homomorphisms, 
such that the open morphisms turn out to be precisely the G-coalgebra 
homomorphisms. The above construction provides path-categories and 
trace semantics for free for different flavours of transition systems: (1) 
non-deterministic tree automata (2) regular nondeterministic nominal 
automata (RNNA), an expressive automata notion living in nominal sets 
(3) multisorted transition systems. This last instance relates to Lasota’s 
construction, which is in the converse direction. 


Keywords: Coalgebra - Open maps - Categories - Nominal sets 


1 Introduction 


Coalgebras [25] and open maps [16] are two main categorical approaches to tran- 
sition systems and bisimulations. The former describes the branching type of 
systems as an endofunctor, a system becoming a coalgebra and bisimulations 
being spans of coalgebra homomorphisms. Coalgebra theory makes it easy to 
consider state space types in different settings, e.g. nominal sets [17,18] or alge- 
braic categories [5, 11,20]. The latter, open maps, describes systems as objects of 
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Table 1. Two approaches to categorical (bi)simulations 


worlds data systems func. sim. func. bisim. (bi)simulation 


open J: P—M obj (M) mor (M) open maps Z 


maps Def. 2.4 Def. 25 gg/ \E% | 
FF Bo |g 
G: C — C pointed G-coalg. lax hom. coalg. hom. ~% b je 


lgeb 
coalgebra nof 2.7 Sec. 2.2 Def. 2.8 Def. 2.6 T IN 


this paper 


a category and the execution types as particular objects called paths. In this case, 
bisimulations are spans of open morphisms. Open maps are particularly adapted 
to extend bisimilarity to history dependent behaviors, e.g. true concurrency [7,8], 
timed systems [22] and weak (bi)similarity [9]. Coalgebra homomorphisms and 
open maps are then key concepts to describe bisimilarity categorically. They 
intuitively correspond to functional bisimulations, that is, those maps between 
states whose graph is a bisimulation. 

We are naturally interested in the relationship between those two categor- 
ical approaches to transition systems and bisimulations. A reduction of open 
maps situations to coalgebra was given by Lasota using multi-sorted transition 
systems [19]. In this paper, we give the reduction in the other direction: from 
the category Coalgı (TF) of pointed TF-coalgebras and lax homomorphisms, we 
construct the path-category Path and a functor J : Path — Coalg,(TF) such 
that Path-open morphisms coincide with strict homomorphisms, hence functional 
bisimulations. Here, T is a functor describing the branching behaviour and F 
describes the input type, i.e. the type of data that is processed (e.g. words or 
trees). This development is carried out with the case where T is a powerset-like 
functor, and covers transition systems allowing non-deterministic branching. 

The key concept in the construction of Path are F-precise maps. Roughly 
speaking in set, a map f: X —> FY is F-precise if every y € Y is used precisely 
once in f, ie. there is a unique x such that y appears in f(x) and addition- 
ally y appears precisely once in f(x). Such an F-precise map represents one 
deterministic step (of shape F). Then a path P € Path is a finite sequence of 
deterministic steps, i.e. finitely many precise maps. J converts such a data into 
a pointed T F-coalgebra. There are many existing notions of paths and traces in 
coalgebra [4,12, 13,21], which lack the notion of precise map, which is crucial for 
the present work. 

Once we set up the situation J: Path — Coalg,(7TF’), we are on the frame- 
work of open map bisimulations. Our construction of Path using precise maps 
is justified by the characterisation theorem: Path-open morphisms and strict 
coalgebra homomorphisms coincide (Theorems 3.20 and 3.24). This coincidence 
relies on the concept of path-reachable coalgebras, namely, coalgebras such that 
every state can be reached by a path. Under mild conditions, path-reachability 
is equivalent to an existing notion in coalgebra, defined as the non-existence of 
a proper sub-coalgebra (Sect. 3.5). Additionally, this characterization produces 
a canonical trace semantics for free, given in terms of paths (Sect. 3.6). 
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We illustrate our reduction with several concrete situations: different classes 
of non-deterministic top-down tree automata using analytic functors (Sect. 4.1), 
Regular Nondeterministic Nominal Automata (RNNA), an expressive automata 
notion living in nominal sets (Sect. 4.2), multisorted transition systems, used in 
Lasota’s work to construct a coalgebra situation from an open map situation 
(Sect. 4.3). 


Notation. We assume basic categorical knowledge and notation (see e.g. [1,3]). 
The cotupling of morphisms f: A —> C, g: B — C is denoted by [f, g]: A+B > 
C, and the unique morphsim to the terminal object is !: X — 1 for every X. 


2 Two Categorical Approaches for Bisimulations 


We introduce the two formalisms involved in the present paper: the open maps 
(Sect. 2.1) and the coalgebras (Sect. 2.2). Those formalisms will be illustrated on 
the classic example of Labelled Transition Systems (LTSs). 


Definition 2.1. Fix a set A, called the alphabet. A labelled transition system is 
a triple (S, i, A) with S a set of states, i € S the initial state, and AC Sx Ax S 
the transition relation. When A is obvious from the context, we write s = s! 
to mean (s,a,s') € A. 


For instance, the tuple ({0,--- ,n},0,{(&—1,ax%,k) | 1 < k < n}) is an LTS, 
and called the linear system over the word aı---an E A*. To relate LTSs, one 
considers functions that preserves the structure of LTSs: 


Definition 2.2. A morphism of LTSs from (S,i, A) to (S’,i’, A’) is a function 
f: S — S such that f(t) =7@ and for every (s,a,s’) € A, (f(s), a, f(s’)) € A’. 
LTSs and morphisms of LTSs form a category, which we denote by LTS 4. 


Some authors choose other notions of morphisms (e.g. [16]), allowing them 
to operate between LTSs with different alphabets for example. The usual way 
of comparing LTSs is by using simulations and bisimulations [23]. The for- 
mer describes what it means for a system to have at least the behaviours of 
another, the latter describes that two systems have exactly the same behaviours. 
Concretely: 


Definition 2.3. A simulation from (S,i,A) to (S’,i’, A’) is a relation R C 
S x S! such that (1) (i,i’) € R, and (2) for every s — t and (s,s') € R, there 
is t! € S' such that s' + t and (t,t') € R. Such a relation R is a bisimulation 
if Rt = {(s',s) | (s,s’) € R} is also a simulation. 


Morphisms of LTSs are functional simulations, i.e. functions between states 
whose graph is a simulation. So how to model (1) systems, (2) functional simu- 
lations and (3) functional bisimulations categorically? In the next two sections, 
we will describe known answers to this question, with open maps and coalgebra. 
In both cases, it is possible to capture similarity and bisimilarity of two LTSs T 
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and T’. Generally, a simulation is a (jointly monic) span of a functional bisim- 
ulation and a functional simulation, and a bisimulation is a simulation whose 
converse is also a simulation, as depicted in Table1. Consequently, to under- 
stand similarity and bisimilarity on a general level, it is enough to understand 
functional simulations and bisimulations. 


2.1 Open Maps 


The categorical framework of open maps [16] assumes functional simulations to 
be already modeled as a category M. For example, for M := LTS4, objects are 
LTSs, and morphisms are functional simulations. Furthermore, the open maps 
framework assumes another category P of ‘paths’ or ‘linear systems’, together 
with a functor J that tells how a ‘path’ is to be understood as a system: 


? 


Definition 2.4 [16]. An open map situation is given by categories M (‘systems 
with ‘functional simulations’) and P (‘paths’) together with a functor J: P > M. 


For example with M := LTS 4, we pick P := (A*, <) to be the poset of words over 
A with prefix order. Here, the functor J maps a word w € A* to the linear system 
over w, and w < v to the evident functional simulation J(w < v): Jw — Jv. 

In an open map situation J: P—>M, we can abstractly represent the concept 
of a run in a system. A run of a path w € P in a system T € M is simply defined 
to be an M-morphism of type Jw — T. With this definition, each M-morphism 
h: T — T (ie. functional simulation) inherently transfers runs: given a run 
x: Jw — T, the morphism h- x: Jw — T is a run of w in T”. In the example 
open map situation J: (A*,<) — LTS4, a run of a path w = a1---a, E A* 
in an LTS T = (5,7, A) is nothing but a sequence of states xo, ..., £n E S such 
that £o = i and xp_1 ~ zp holds for all 1 < k < n. 

We introduce the concept of open map [16]. This is an abstraction of the 
property posessed by functional bisimulations. For LTSs T = (S, i, A) and T’ = 
(S'i, A’), an LTSy-morphism h: T — T is a functional bisimulation if the 
graph of h is a bisimulation. This implies the following relationship between 
runs in T and runs in T’. Suppose that w < w’ holds in A*, and a run x of w 
in T is given as in (1); here n,m are lengths of w,w’ respectively. Then for any 
run y’ of w’ in T’ extending h- x as in (2), there is a run 2’ of w extending z, 
and moreover its image by h coincides with y’ (that is, h- x’ = y’). Such x’ is 
obtained by repetitively applying the condition of functional bisimulation. 


1 
. Wi we w Wr41 n Wn+2 w 1 r 

a Ly eee La Ln, Ln41 ig ih ae Ti (in T) (1) 
ee 


if ary) Ps 2 Aen) Es oh yh, (iT) O) 


y’ 


Observe that y’ extending h -x can be represented as y'- J(w < w’) = h-a, 
and w’ extending x as 2’- J(w < w’) = x. From these, we conclude that if an 
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LTS4-morphism h: T — T is a functional bisimulation, then for any w < w’ 
in A* and run z: Jw — T and y': Jw’ —+T" such that y'- J(w < w’) =h. x, 
there is a run 2’: Jw’ — T such that x’. J(w < w') = x and h- x’ = y' (the 
converse also holds if all states of T are reachable). This necessary condition of 
functional bisimulation can be rephrased in any open map situation, leading us 
to the definition of open map. 


Definition 2.5 [16]. Let J: P— M be an open map situation. 
An M-morphism h: T —> T’ is said to be open if for every aA 
morphism ®: w — w’ € P making the square on the right sa| ae |r 


1 


commute, there is x' making the two triangles commute. Jw > T 


w ~~ >» T 


Open maps are closed under composition and stable under pullback [16]. 


2.2 Coalgebras 


The theory of G-coalgebras is another categorical framework to study bisimu- 
lations. The type of systems is modelled using an endofunctor G: C —> C and 
a system is then a coalgebra for this functor, that is, a pair of an object S 
of C (modeling the state space), and of a morphism of type S — GS (mod- 
eling the transitions). For example for LTSs, the transition relation is of type 
AC Sx Ax S. Equivalently, this can be defined as a function A: S — P(AxS), 
where P is the powerset. In other words, the transition relation is a coalgebra for 
the Set-functor P(A x _). Intuitively, this coalgebra gives the one-step behaviour 
of an LTS: S describes the state space of the system, P describes the ‘branch- 
ing type’ as being non-deterministic, A x S describe the ‘computation type’ as 
being linear, and the function itself lists all possible futures after one-step of 
computation of the system. Now, changing the underlying category or the end- 
ofunctor allows to model different types of systems. This is the usual framework 
of coalgebra, as described for example in [25]. 

Initial states are modelled coalgebraically by a pointing to the carrier i: I — 
S for a fixed object I in C, describing the ‘type of initial states’ (see e.g. [2, 
Sec. 3B]). For example, an initial state of an LTS is the same as a function from 
the singleton set I := {x} to the state space S. This object I will often be the 
final object of C, but we will see other examples later. In total, an I-pointed G- 
coalgebra is a C-object S together with morphisms a: S — GS andi: I — S. 
E.g. an LTS is an I-pointed G-coalgebra for I = {x} and GX = P(A x X). 

In coalgebra, functional bisimulations are the first class citizens to be mod- 
elled as homomorphisms. The intuition is that those preserve the initial state, 
and preserve and reflect the one-step relation. 


Definition 2.6. An I-pointed G-coalgebra homomorphism y i, S GS 
from I > S & GS to I = S +> GS" is a morphism N Jf Jar 


7 


f: S — S making the right-hand diagram commute. 9 5 as! 


—" 
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For instance, when G = P(A x _), one can easily see that a function f is a 
G-coalgebra homomorphism iff it is a functional bisimulation. Thus, if we want 
to capture functional simulations in LTSs, we need to weaken the condition of 
homomorphism to the inequality Gf(a(s)) C a’(f(s)) (instead of equality). To 
express this condition for general G-coalgebras, we introduce a partial order 
Cx y on each homset C(X,GY) in a functorial manner. 


Definition 2.7. A partial order on G-homsets is a functor E: C°? x C — Pos 
such that U -E = C(_,G_); here, U: Pos — Set is the forgetful functor from 
the category Pos of posets and monotone functions. 


The functoriality of CE amounts to that fı E fo implies Gh: fı -g E Gh- fo-g. 


Definition 2.8. Given a partial order on G-homsets, an 


I-pointed lax G-coalgebra homomorphism f: (S, a, #) I> S GS 
(S’,a’,7') is a morphism f: S—+S" making the right-hand N jf m ler 
diagram commute. The I-pointed G-coalgebras and lax í S! — GS' 


homomorphisms form a category, denoted by Coalg,(I,G). 


Conclusion 2.9. In Set, with I = {x}, G = P(A x _), define the order f E g in 
Set(X,P(Ax Y)) iff for every x € X, f(x) C g(x). Then Coalg,({*«}, P(Ax _)) = 
LTS4. In particular, we have an open map situation 


P=(A*,<) -> M= LTS4 =Coalg,({+}, P(A x _)) 
and the open maps are precisely the coalgebra homomorphisms (for reachable 
LTSs). In this paper, we will construct a path category P for more general J and 
G, such that the open morphisms are precisely the coalgebra homomorphisms. 


3 The Open Map Situation in Coalgebras 


Lasota’s construction [19] transforms an open map situation J: P — M into 
a functor G (with a partial order on G-homsets), together with a functor 
Beh: M —> Coalg,(1,G) that sends open maps to G-coalgebra homomorphisms 
(see Sect. 4.3 for details). In this paper, we provide a construction in the converse 
direction for functors G of a certain shape. 

As exemplified by LTSs, it is a common pattern that G is the composition 
G = TF of two functors [12], where T is the branching type (e.g. partial, or 
non-deterministic) and F is the data type, or the ‘linear behaviour’ (words, 
trees, words modulo a-equivalence). If we instantiate our path-construction to 
T = P and F = A x _, we obtain the known open map situation for LTSs 
(Conclusion 2.9). 

Fix a category C with pullbacks, functors T, F : C — C, an object I € C 
and a partial order CT on T-homsets. They determine a coalgebra situation 
(C, I,TF,E) where C is the partial order on TF-homsets defined by Ex, y = 
ES ry: Under some conditions on T and F, we construct a path-category 
Path(I, F +1) and an open map situation Path(I, F +1) © Coalg,(I, TF) where 
T F-coalgebra homomorphisms and Path(I, F + 1)-open morphisms coincide. 
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Fig. 1. A non-precise map f that factors through the F-precise f’: X —-Y’x Y’+{1} 


3.1 Precise Morphisms 


While the path category is intuitively clear for FX = A x X, it is not for inner 
functors F that model tree languages. For example for FX = A+ X x X, a PF- 
coalgebra models transition systems over binary trees with leaves labelled in A, 
instead of over words. Hence, the paths should be these kind of binary trees. We 
capture the notion of tree like shape (“every node in a tree has precisely one 
route to the root”) by the following abstract definition: 


Definition 3.1. For a functor F: C — C, a morphism s: S — FR is called 
F-precise if for all f,g,h the following implication holds: 


S-LC a SR? C 
d 

s| n len © | Qa & Vie. 

FR Z FD FR RSD 


Remark 3.2. If F preserves weak pullbacks, then a morphism s is F-precise iff 
it fulfils the above definition for g = id. 


Example 3.3. Intuitively speaking, for a polynomial Set-functor F, a map 
s: S — FR is F-precise iff every element of R is mentioned precisely once 
in the definition of the map f. For example, for FX = A x X + {L}, the case 
needed later for LTSs, a map f: X — FY is precise iff for every y € Y, there 
is a unique pair (x,a) E€ X x A such that f(x) = (a,y). For FX = X x X+{1} 
on Set, the map f: X — FY in Fig.1 is not F-precise, because yz is used three 
times (once in f(#2) and twice in f(x3)), and y3 and y4 do not occur in f at 
all. However, f’: X — FY’ is F-precise because every element of Y’ is used 
precisely once in f’, and we have that Fh- f’ = f. Also note that f’ defines a 
forest where X is the set of roots, which is closely connected to the intuition 
that, in the F-precise map f’, from every element of Y’, there is precisely one 
edge up to a root in X. 


So when transforming a non-precise map into a precise map, one duplicates 
elements that are used multiple times and drops elements that are not used. 
We will cover functors F for which this factorization pattern provides F’-precise 
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maps. If F involves unordered structure, this factorization needs to make choices, 
and so we restrict the factorization to a class S of objects that have that choice- 
principle (see Example 4.5 later): 


Definition 3.4. Fiz a class of objects S C objC closed under S cay” 
isomorphism. We say that F admits precise factorizations a [rn 
w.r.t. S if for every f: S— FY with S € S, there exist Y’ € S, me 

h: Y'—Y and f': S— FY’ F-precise with Fh: f' = f. 


P Po Pı pı P3 Py 
-0 -0 
sa — T°’ baat OA a 


Fig. 2. A path of length 4 for FX = {a} x X +X x X +{L} with I = {x}. 


For C = Set, S contains all sets. However for the category of nominal sets, S 
will only contain the strong nominal sets (see details in Subsect. 4.2). 


Remark 3.5. Precise morphisms are essentially unique. If fı: X — FY, and 
fo: X — FY are F-precise and if there is some h: Yı — Yz with Fh- fi = fo, 
then A is an isomorphism. Consequently, if f: S — FY with S € S is F-precise 
and F-admits precise factorizations, then Y € S. 


Functors admitting precise factorizations are closed under basic constructions: 


Proposition 3.6. The following functors admit precise factorizations w.r.t. S: 


1. Constant functors, if C has an initial object 0 and 0 € S. 
2. F.-F' if F: C—>C and F’: C—C do so. 
3. || Fi, if all (Fi)ier do so and S is closed under I-coproducts. 
el 
4. J] Fi, if all (Fijier do so, C is I-extensive and S is closed under I- 
tel 
coproducts. 


5.  Right-adjoint functors, if and only if its left-adjoint preserves S-objects. 


Example 3.7. When C is infinitary extensive and S is closed under coproducts, 
every polynomial endofunctor F: C — C admits precise factorizations w.r.t. S. 
This is in particular the case for C = S = Set. In this case, we shall see later 
(Sect. 4.1) that many other Set-functors, e.g. the bag functor B, where B(X) is 
the set of finite multisets, have precise factorizations. In contrast, F = P does 
not admit precise factorizations, and if f: X — PY is P-precise, then f(x) = 0 
for alla € X. 
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3.2 Path Categories in Pointed Coalgebras 


We define a path for J-pointed T F-coalgebras as a tree according to F. Following 
the observation in Example 3.3, one layer of the tree is modelled by a F-precise 
morphism and hence a path in a T’'F-coalgebra is defined to be a finite sequence 
of (F + 1)-precise maps, where the _+ 1 comes from the dead states w.r.t. T; 
the argument is given later in Remark 3.23 when reachability is discussed. Since 
the _+ 1 is not relevant yet, we define Path(/, F) in the following and will use 
Path(/, F + 1) later. For simplicity, we write X,, for finite families (Xx )o<k<n- 


Definition 3.8. The category Path(I, F) consists of the following. An object 
is (Pnii,P,) for ann € N with Po = I and p,, a family of F-precise maps 
(pk: Pe — FPk+i)kcn. We say that (Pn+1, Pn) is a path of length n. A mor- 
phism ny1: (Prti: Pa) —(Q m41: 8n), M2 n, is a family (by: Pe— Queen 
with do = idz and qk ` k = Fok+1` Pk for dlO<k <n. 


Example 3.9. Paths for FX = A x X +1 and I = {*} singleton are as follows. 
First, a map f: I — FX is precise iff (up-to isomorphism) either X = J and 
f(*) = (a, *) for some a € A; or X = Ø and f(*) = L. Then a path is isomorphic 
to an object of the form: P; = I for i < k, P; = Ø for i > k, pi(*) = (ai, x) for 
i < k, and p,(*) = L. A path is the same as a word, plus some “junk” , concretely, 
a word in A*.L*. For LTSs, an object in Path(/, F) with FX = A x X is simply 
a word in A*. For a more complicated functor, Fig. 2 depicts a path of length 
4, which is a tree for the signature with one unary, one binary symbol, and a 
constant. The layers of the tree are the sets P4. Also note that since every p; is 
F-precise, there is precisely one route to go from every element of a P; to x. 


Remark 3.10. The inductive continuation of Remark 3.5 is as follows. Given a 
morphism @,,,, in Path(/, F), since ġo is an isomorphism, then ¢, is an isomor- 
phism for all 0 < k < n. If F admits precise factorizations and if I € S, then for 
every path (Pn+1, Pn), all Pk, O < k < n, are in S. 


Remark 3.11. Ifin Definition 3.4, the connecting morphism h: Y’—+Y uniquely 
exists, then it follows by induction that the hom-sets of Path(/, F) are at most 
singleton. This is the case for all polynomial functors, but not the case for the 
bag functor on sets (discussed in Subsect. 4.1). 


Definition 3.12. The path poset PathOrd(I, F) is the set a 
locn CU, F”1) equipped with the order: for u: I — F"1 and ye [en 
v: I — F™1, we define u < v ifn <m and F"(!)-v=u. pos prh] 


So u < v if u is the truncation of v to n levels. This matches the morphisms in 
Path(/, F) that witnesses that one path is prefix of another: 


Proposition 3.13. 1. The functor Comp: Path(I, F) —> PathOrd(J, F) defined 


by I = Po B FP;.--— F"P, EU! En] on (Pn+1,Pn) is full, and reflects isos. 
2. If F admits precise factorizations w.r.t. S and I € S, then Comp is sujective. 
3. If additionally h in Definition 3.4 is unique, then Comp has a right-inverse. 
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In particular, PathOrd(I, F) is Path(J,F) up to isomorphism. In the 
instances, it is often easier to characterize PathOrd(J/, F). This also shows that 
Path(I, F) contains the elements — understood as morphisms from I — of the 


2 
finite start of the final chain of F: 1 + F1 Æ} F21 Æ F31 «< 


Example 8.14. When FX = A x X +1, F”1 is isomorphic to the set of words 
in A*.L* of length n. Consequently, PathOrd(J, F) is the set of words in A*.1*, 
equipped with the prefix order. In this case, Comp is an equivalence of categories. 


3.3 Embedding Paths into Pointed Coalgebras 


The paths (Pn+1, Pn) embed into Coalg,(I, TF) as one expects it for examples 
like Fig. 2: one takes the disjoint union of the Pk, one has the pointing I = Po 
and the linear structure of F is embedded into the branching type T. 

During the presentation of the results, we require T, F, and I to have cer- 
tain properties, which will be introduced one after the other. The full list of 
assumptions is summarized in Table 2: 

(Axl) — The main theorem will show that coalgebra homomorphisms in 
Coalg;(1, TF’) are the open maps for the path category Path(/, F + 1). So from 
now on, we assume that C has finite coproducts and to use the results from 
the previous sections, we fix a class S C objC such that F + 1 admits precise 
factorizations w.r.t. S and that I € S. 

(Ax2) — Recall, that a family of morphisms (e;: X; — Y Jier with common 
codomain is called jointly epic if for f,g: Y — Z we have that f-e; = grei Vie I 
implies f = g. For Set, this means, that every element y € Y is in the image 
of some e;. Since we work with partial orders on T-homsets, we also need the 
generalization of this property if f E g are of the form Y — TZ’. 

(Ax3) — In this section, we encode paths as a pointed coalgebra by construct- 
ing a functor J: Path(J, F +1) — Coalg,(J, TF). For that we need to embed the 
linear behaviour FX +1 into TFX. This is done by a natural transformation 
În, L]: Id+1 — T, and we require that L: 1 — T is a bottom element for E. 


Example 3.15. For the case where T is the powerset functor P, 7) is given by the 
unit 7x (x) = {x}, and L is given by empty sets Lx(*) = Ø. 


Definition 3.16. We have an inclusion functor J: Path(I,F + 1) = 
Coalgı(I,TF) that maps a path (Pn41,Pn) to an I-pointed TF-coalgebra on 
J| Prot := Loeren k- The pointing is given by ing: I = Py — J [ Pnyi and 
the structure by: 


in -Pk nt! : 
ee ee pj Pu tt EL | Per 
O<k<n 


Example 3.17. In the case of LTSs, a path, or equivalently a word ay...az.L...L E€ 
A*.1*, is mapped to the finite linear system over a1...ap (see Sect. 2.1), seen as 
a coalgebra (see Sect. 2.2). 
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Proposition 3.18. Given a morphism |zpk]k<n: [| Pn+1— X for some system 
(X, £, 20) and a path (Pn+1; Pn); we have 
[Ek]k<n 
J(Pr+41; Pn) ——> (X, £, zo) < Vk <n: 
a run in Coalg,(I, TF) 


Pr žk > X 


Pr} Faryitl = In, Llx le 
FPk4ı +1 FX +1 — TFX. 


Also note that the pointing zo of the coalgebra is necessarily the first component 
of any run in it. In a run [£k]k<n, pk Corresponds to an edge from £k to £k+1- 


Example 3.19. For LTSs, since the Pẹ are singletons, x, just picks the kth state 
of the run. The right-hand side of this lemma describes that this is a run iff there 
is a transition from the kth state and the (k + 1)—th state. 


3.4 Open Morphisms Are Exactly Coalgebra Homomorphisms 


In this section, we prove our main contribution, namely that Path(/, F + 1)- 
open maps in Coalg,(I, TF) are exactly coalgebra homomorphisms. For the first 
direction of the main theorem, that is, that coalgebra homomorphisms are open, 
we need two extra axioms: 

(Ax4) — describing that the order on C(X,TY) is point-wise. This holds for 
the powerset because every set is the union of its singleton subsets. 

(Ax5) — describing that C(X,TY) admits a choice-principle. This holds for 
the powerset because whenever y € h[{a] for a map h: X — Y and z C X, then 
there is some {x} C x with h(x’) = y. 


Theorem 3.20. Under the assumptions of Table 2, a coalgebra homomorphism 
in Coalg,(1, TF) is Path(I, F + 1)-open. 


Table 2. Main assumptions on F,T: C — C, CT, S C objC 


F + 1 admits precise factorizations, w.r.t. S and I € S 


În, L]: Id +1 — T, with Ly-!x E f for all f: X — TY 
For every f: X — TY, XES, 
F=, Lr- f E fI: X—Y +1} 


(Ax1) 
(Ax2) If (ei: Xi — Y icr jointly epic, then f-e; E g- e; for all i € I > fE g. 
(Ax3) 
(Ax4) 


z a, 
A—* > TX Ame U TX 
(Axé) vaes | u [rm S X41 Tolls | 
KESTA ” {ati 
Y+1— TY y 1 ty ry 


The converse is not true in general, because intuitively, open maps reflect 
runs, and thus only reflect edges of reachable states, as we have seen in Sect. 2.1. 
The notion of a state being reached by a path is the following: 
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Definition 3.21. A system (X,&,xo) is path-reachable if the family of runs 
[£k]k<n: J(Pn41, Pn) — (X, E€, 20) (of paths from Path(I, F+1)) is jointly epic. 


Example 3.22. For LTSs, this means that every state in X is reached by a run, 
that is, there is a path from the initial state to every state of X. 


Remark 3.23. In Definition 3.21, it is crucial that we consider Path(J, F+1) and 
not Path(/, F) for functors incorporating ‘arities > 2’. This does not affect the 
example of LTSs, but for J = 1, FX = X x X and T = P in Set, the coalge- 
bra (X, £, £o) on X = {x0,Y1, Y2, 21, 22} given by €(x0) = {(y1,¥2)}, E(w) = 
{(21,22)}, €(y2) = €(21) = €(z2) =O is path-reachable for Path(I, F'+1). There 
is no run of a length 2 path from Path(J, F), because y2 has no successors, and 
so there is no path to zı or to z2. 


Theorem 3.24. Under the assumptions of Table2, if (X,&,a0) is path- 
reachable, then an open morphism h: (X,&,%0) — (Y,¢,yo) is a coalgebra 
homomorphism. 


3.5 Connection to Other Notions of Reachability 
There is another concise notion for reachability in the coalgebraic literature [2]. 


Definition 3.25. A subcoalgebra of (X,&,20) is a coalgebra homomorphism 
h: (Y, C, yo) — (X, £, zo) that is carried by a monomorphism h: X >=> Y. Fur- 
thermore (X, £, xo) is called reachable if it has no proper subcoalgebra, i.e. if any 
subcoalgebra h is an isomorphism. 


Under the following assumptions, this notion coincides with the path-based def- 
inition of reachability (Definition 3.21). 


Assumption 3.26. For the present Subsect.3.5, let C be cocomplete, have 
(epi,mono)-factorizations and wide pullbacks of monomorphisms. 


The first direction follows directly from Theorem 3.20: 
Proposition 3.27. Every path-reachable (X,€, £o) has no proper subcoalgebra. 


For the other direction it is needed that TF preserves arbitrary intersections, 
that is, wide pullbacks of monomorphisms. In Set, this means that for a family 
(Xi C Y )ier of subsets we have (),-; TFX: = TF (),<; Xi as subsets of TFY. 
Proposition 3.28. If, furthermore, for every monomorphism m: Y — Z, the 
function C(—,Tm): C(X,TY) — C(X,TZ) reflects joins and if TF pre- 
serves arbitrary intersections, then a reachable coalgebra (X, £, xo) is also path- 
reachable. 


All those technical assumptions are satisfied in the case of LTSs, and will also 
be satisfied in all our instances in Sect. 4. 


Path Category for Free 535 


3.6 Trace Semantics for Pointed Coalgebras 


The characterization from Theorems 3.20 and 3.24 points out a natural way 
of defining a trace semantics for pointed coalgebras. Indeed, the paths category 
Path(/, F+1) provides a natural way of defining the runs of a system. A possible 
way to go from runs to trace semantics is to describe accepting runs as the 
subcategory J’: Path(/, F) — Path(/, F +1). We can define the trace semantics 
of a system (X, £, zo) as the set: 


tr(X, £, £o) = {Comp(Pn+1; Pn) |3 run [x klk<n: JJ (Pn+1;Pn) = (X, £, 20) 
with (Pn+1,P,) E Path(7, F)} 


Since Path(J/, F)-open maps preserve and reflect runs, we have the following: 


Corollary 3.29. tr: Coalg,(2,7F')—(P(PathOrd(J, F)), C) is a functor and if 
ie (X, &, ro) _ (Y, G: Yo) as Path(J, Pt 1)-open, then tr(X, £; xo) = tr(Y, Ç, yo). 


Let us look at two LTS-related examples (we will describe some others in the 
next section). First, for FX = A x X. The usual trace semantics is given by 
all the words in A* that are labelled of a run of a system. This trace semantics 
is obtained because PathOrd(7, F) = J] [„>ọ A” and because Comp maps every 
path to its underlying word. Another example is given for FX = Ax X + {Vv}, 
where v marks final states. In this case, a path in Path(J, F) of length n is either 
a path that can still be extended or encodes less than n steps to an accepting 
state v. This obtains the trace semantics containing the set of accepted words, 
as in automata theory, plus the set of possibly infinite runs. 


4 Instances 


4.1 Analytic Functors and Tree Automata 


In Example 3.7, we have seen that every polynomial Set-functors, in particular 
the functor X +» A x X, has precise factorizations with respect to all sets. 
This allowed us to see LTSs, modelled as {«}-pointed P(A x _)-coalgebra, as 
an instance of our theory. This allowed us in particular to describe their trace 
semantics using our path category in Sect.3.6. This can be extended to tree 
automata as follows. Assume given a signature X, that is, a collection (‘,)nen 
of disjoint sets. When ø belongs to Xn, we say that n is the arity of o or 
that o is a symbol of arity n. A top-down non-deterministic tree automata as 
defined in [6] is then the same as a {«}-pointed PF-coalgebra where F is the 
polynomial functor X +> [[,-5 X”. For this functor, F"(1) is the set of trees 
over XU{*(0)} of depth at ose n+ 1 such that a leaf is labelled by x if and only 
if it is at depth n + 1. Intuitively, elements of F”(1) are partial runs of length 
n that can possibly be extended. Then, the trace semantics of a tree automata, 
seen as a pointed coalgebra, is given by the set of partial runs of the automata. 
In particular, this contains the set of accepted finite trees as those partial runs 
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without any *, and the set of accepted infinite trees, encoded as the sequence of 
their truncations of depth n, for every n. 

In the following, we would like to extend this to other kinds of tree automata 
by allowing some symmetries. For example, in a tree, we may not care about 
the order of the children. This boils down to quotient the set X” of n-tuples, by 
some permutations of the indices. This can be done generally given a subgroup 
G of the permutation group G,, on n elements by defining X"/G as the quotient 
of X” under the equivalence relation: (£1,..., £n) =G (Y1,---;Yn) iff there is 
n € G such that for all i, x; = yz). Concretely, this means that we replace the 
polynomial functor F by a so-called analytic functor: 


Definition 4.1 [14,15]. An analytic Set-functor is a functor of the form FX = 
Les, X"/Go where for every o € Xn, we have a subgroup Go of the permuta- 
tion group Gy, on n elements. 


Example 4.2. Every polynomial functor is analytic. The bag-functor is analytic, 
with X = ({*})new has one operation symbol per arity and Gz = Gayo) is 
the full permutation group on ar(c) elements. It is the archetype of an analytic 
functor, in the sense that for every analytic functor F: Set — Set, there is a 
natural transformation into the bag functor a: F — B. If F is given by X and 
G, as above, then ax is given by 


FX =[[oen, X"/Go > Lees, X"/Gn > Lnenw X"/Gn = BX. 


Proposition 4.3. For an analytic Set-functor F, the following are equivalent 
(1) a map f: X — FY is F-precise, (2) ay- f is B-precise, (3) every element 
of Y appears precisely once in the definition of f, i.e. for every y € Y, there is 
exactly one x in X, such that f(x) is the equivalence class of a tuple (y1,.--; Yn) 
where there is an index i, such that y; = y; and furthermore this index is unique. 
So every analytic functor has precise factorizations w.r.t. Set. 


4.2 Nominal Sets: Regular Nondeterministic Nominal Automata 


We derive an open map situation from the coalgebraic situation for regular 
nondeterministic nominal automata (RNNAs) [26]. They are an extension of 
automata to accept words with binders, consisting of literals a € A and binders 
|, for a € A; the latter is counted as length 1. An example of such a word of length 
4 is al|-bc, where the last c is bound by |e. The order of binders makes difference: 
lalpab Æ laloba. RNNAs are coalgebraically represented in the category of nomi- 
nal sets [10], a formalism about atoms (e.g. variables) that sit in more complex 
structures (e.g. lambda terms), and gives a notion of binding. Because the choice 
principles (Ax4) and (Ax5) are not satisfied by every nominal sets, we instead 
use the class of strong nominal sets for the precise factorization (Definition 3.4). 


Definition 4.4 [10,24]. Fix a countably infinite set A, called the set of atoms. 
For the group G,(A) of finite permutations on the set A, a group action (X,-) 
is a set X together with a group homomorphism -: Gs(A) —> G(X), written in 
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infix notation. An element x E€ X is supported by S C A, if for all n € G;(A) 
with ma) = a Va € S we have t-x = x. A nominal set is a group action 
for ©;(A) such that every x € X is finitely supported, i.e. supported by a finite 
SCA. A map f: (X,-) — (Y,*) is equivariant if for alla € X and t € G;(A) 
we have f(m-x) =ax f(a). The category of nominal sets and equivariant maps 
is denoted by Nom. A nominal set (X,-) is called strong if for all x € X and 
mw € Ge(A) with n -x =x we have r(a) =a for all a € supp(2). 


Intuitively, the support of an element is the set of free literals. An equivariant 
map can forget some of the support of an element, but can never introduce new 
atoms, i.e. supp(f(x)) C supp(z). The intuition behind strong nominal sets is 
that all atoms appear in a fixed order, that is, A” is strong, but P;(A) (the finite 
powerset) is not. We set S to be the class of strong nominal sets: 


Example 4.5. The Nom-functor of unordered pairs admits precise factorizations 
w.r.t. strong nominal sets, but not w.r.t. all nominal sets. 


In the application, we fix the set J = A#” of distinct n-tuples of atoms (n > 0) 
as the pointing. The hom-sets Nom(X, PursY) are ordered point-wise. 


Proposition 4.6. Uniformly finitely supported powerset Pus(X) = {Y C X | 
Uey supp(y) finite} satisfies (Ax2-5) w.r.t. S the class of strong nominal sets.! 


As for F, we study an LTS-like functor, extended with the binding functor [10]: 


Definition 4.7. For a nominal set X, define the a-equivalence relation ~a on 
Ax X by: (a, £) ~a (b,y) & Ic E€ A\ supp(x) \ supply) with (ac)-a = (bc) -y. 
Denote the quotient by [A] X := Ax X/~a. The assignment X +> [A|X extends 
to a functor, called the binding functor [A]: Nom — Nom. 


RNNA are precisely PuțsF-coalgebras for FX = {v } + [A] X +A x X [26]. In 
this paper we additionally consider initial states for RNNAs. 


Proposition 4.8. The binding functor [A] admits precise factorizations w.r.t. 
strong nominal sets and so does FX ={V}+[A|X+Ax X. 


An element in PathOrd(A#”, F) may be regarded as a word with binders 
under a context a H w, where a € A#”, all literals in w are bound or in a, and w 
may end with v. Moreover, two word-in-contexts a + wand a’ F w’ are identified 
if their closures are a-equivalent, that is, Ja, +- |an W = |as ++: la, W. The trace 
semantics of a RNNA T contains all the word-in-contexts corresponding to runs 
in T. This trace semantics distinguishes whether words are concluded by v. 


4.3 Subsuming Arbitrary Open Morphism Situations 


Lasota [19] provides a translation of a small path-category P — M into a func- 
tor F: Set®PIP — SetPiP defined by F(Xp)p = (Ioer (P(X) PE) pep 


' There are two variants of powersets discussed in [26]. The finite powerset P; also 
fulfils the axioms. However, finitely supported powerset Pys does not fulfil (Ax5). 
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So the hom-sets Set°?J"(X, FY) have a canonical order, namely the point-wise 
inclusion. This admits a functor Beh from M to F-coalgebras and lax coalgebra 
homomorphisms, and Lasota shows that f € M(X,Y) is P-open iff Beh(f) is 
a coalgebra homomorphism. In the following, we show that we can apply our 
framework to F by a suitable decomposition F = TF and a suitable object I for 
the initial state pointing. As usual in open map papers, we require that P and 
M have a common initial object Op. Observe that we have F = T’- F where 


T(Xp) pep = (PUP) pep and F(Xp)per = (LgepP(P, Q) x Xa) pep: 


Lasota considers coalgebras without pointing, but one indeed has a canonical 
pointing as follows. For P € P, define the characteristic family x? € Set°PJ” by 
XO = 1 if P = Q and XO = if P # Q. With this, we fix the pointing J = y°°. 


Proposition 4.9. T, F and I satisfy the axioms from Table2, with S = 
Set oP. 


The path category in Coalg,(I, TF) from our theory can be described as follows. 


Proposition 4.10. An object of Path(I, F) is a sequence of composable P-mor- 
phisms Op TL Pp Po SP. 


5 Conclusions and Further Work 


We proved that coalgebra homomorphisms for systems with non-deterministic 
branching can be seen as open maps for a canonical path-category, constructed 
from the computation type F. This limitation to non-deterministic systems is 
unsurprising: as we have proved in Sect. 4.3 on Lasota’s work [19], every open 
map situation can been encoded as a coalgebra situation with a powerset-like 
functor, so with non-deterministic branching. As a future work, we would like to 
extend this theory of path-categories to coalgebras for further kinds of branching, 
especially probabilistic and weighted. This will require (1) to adapt open maps 
to allow those kinds of branching (2) adapt the axioms from Table 2, by replacing 
the “+1” part of (Ax1) to something depending on the branching type. 
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